Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Patched.AC Infection


  • This topic is locked This topic is locked
27 replies to this topic

#1 siobhain

siobhain

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 15 December 2010 - 01:17 AM

My girlfriends' computer was running really slow and she asked me to install an antivirus on it. First I installed AVG and it found Win32/Patched.AC in both explorer.exe and winlogon.exe .. I then uninstalled and install Panda Cloud Antivirus. It was able to cleans things up a bit more but was still left with winlogon.exe infected. I then later ran Malwarebytes, which cleaned up a host of other infections, but was left still with winlogon.exe being infected witht the Win32/Patched.AC infection. So please, I am at my wits end, help me to remove this infection. Thank you, in advance!


DDS (Ver_10-12-12.02) - NTFSx86
Run by Admin at 13:55:50,32 on 15.12.2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2038.1391 [GMT 8:00]

AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VistaDriveIcon\VistaDrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Рабочий стол\dds.scr
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.google.com
mStart Page = about:blank
uURLSearchHooks: H - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Яндекс.Бар: {91397d20-1446-11d4-8af4-0040ca1127b6} - c:\program files\yandex\yandexbarie\yndbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [VistaIcon] c:\program files\vistadriveicon\VistaDrv.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [VistaIcon] c:\program files\vistadriveicon\VistaDrv.exe
dRun: [asdfjnkads.exe] c:\asdfjnkads.exe\asdfjnkads.exe
dRunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%\System32\rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\custom.inf,NewUserFirstLogonInstall,0
dRunOnce: [IE7_011] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7_012] rundll32 advpack.dll,LaunchINFSectionEx IE7int.inf,AfterUserStart,,4,N
StartupFolder: c:\documents and settings\admin\главное меню\программы\автозагрузка\igfxtray.exe
StartupFolder: c:\docume~1\admin\5d29~1\4a66~1\60c2~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Google ВикиКомментарии... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: QQ - c:\program files\tencent\qqintl\bin\AddEmotion.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\7tv2qnah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/?clid=40795
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\7tv2qnah.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\7tv2qnah.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Fast Dial: fastdial@telega.phpnet.us - %profile%\extensions\fastdial@telega.phpnet.us
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Яндекс.Бар: yasearch@yandex.ru - %profile%\extensions\yasearch@yandex.ru
FF - Ext: Past Modern: {81514210-E22A-4e69-93D5-E1EFD45B4620} - %profile%\extensions\{81514210-E22A-4e69-93D5-E1EFD45B4620}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [2008-8-22 308248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-12-12 28552]
R0 PsBoot;Panda boot driver;c:\windows\system32\drivers\PsBoot.sys [2010-12-15 30280]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 129992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112456]
S2 gupdate;Служба Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-15 136176]

=============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2010-12-15 05:46:45 30280 ----a-w- c:\windows\system32\drivers\PsBoot.sys
2010-12-12 14:53:16 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-12-12 14:53:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 14:53:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-12 14:53:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 14:53:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 10:10:23 -------- d-----w- c:\docume~1\admin\applic~1\Panda Security
2010-12-12 10:07:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-12-12 03:00:02 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-12-12 02:59:53 -------- d-----w- c:\program files\Panda Security
2010-12-12 02:05:18 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-12-12 02:05:18 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-12-12 02:05:18 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-12-12 02:05:18 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-12-12 02:05:18 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-12-12 02:05:17 -------- d-----w- c:\program files\Trojan Remover
2010-12-12 02:05:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-12-12 02:05:17 -------- d-----w- c:\docume~1\admin\applic~1\Simply Super Software
2010-12-11 14:54:14 -------- d-----w- c:\docume~1\admin\applic~1\AVG10
2010-12-11 14:53:18 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-11 14:52:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-11 14:35:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-11 13:52:33 733 ----a-w- c:\windows\uduqaxuwibiqo.dll
2010-12-11 13:51:32 -------- d-----w- c:\windows\pss
2010-12-11 13:30:34 733 ----a-w- c:\windows\uhusobuzitoway.dll
2010-12-11 09:39:27 -------- d-----w- C:\Yandex
2010-12-09 04:40:06 731 ----a-w- c:\windows\ufefesuf.dll
2010-12-09 02:26:44 731 ----a-w- c:\windows\otanukonejiqal.dll
2010-12-08 12:06:48 731 ----a-w- c:\windows\ecuwevanuza.dll
2010-12-08 07:26:01 731 ----a-w- c:\windows\ewudevip.dll
2010-12-07 10:21:38 731 ----a-w- c:\windows\usesilar.dll
2010-12-06 10:36:54 731 ----a-w- c:\windows\itafoxosivolup.dll
2010-12-01 11:46:45 106496 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2010-12-01 11:46:45 106496 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2010-12-01 11:46:45 106496 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-12-01 11:46:45 -------- d-----w- c:\program files\common files\Tencent
2010-12-01 11:46:32 -------- d-----w- c:\program files\Tencent
2010-12-01 11:46:12 -------- d-----w- c:\docume~1\admin\applic~1\Tencent
2010-11-23 11:39:51 -------- d-----w- c:\windows\system32\LogFiles
2010-11-17 04:51:10 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-17 04:51:10 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-17 04:51:09 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-11-17 04:51:09 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2010-12-12 10:42:41 1721344 ----a-w- c:\windows\explorer.exe
2010-10-24 19:31:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-24 19:31:07 411368 ----a-w- c:\windows\system32\deployJava1.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_ rev.LV01 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89188446]<<
c:\windows\system32\ntoskrnl.exe Корпорация Майкрософт Операционная система Microsoft® Windows®
c:\windows\system32\drivers\ACPI.sys Корпорация Майкрософт Операционная система Microsoft® Windows®
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8918e504]; MOV EAX, [0x8918e580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x89BA1AB8]
3 CLASSPNP[0xF7667FD7] -> nt!IofCallDriver[0x804E1397] -> \Device\0000006f[0x89BA3910]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E1397] -> [0x89B2C030]
\Driver\iaStor[0x89B9E2F8] -> IRP_MJ_CREATE -> 0x89188446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV011C__#4&3886a29&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x89188292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 13:58:16,42 ===============

Attached Files


"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:35 AM

Posted 23 December 2010 - 07:24 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 siobhain

siobhain
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 23 December 2010 - 09:20 PM

Thanks for replying Georgi.

The situation has remained unchanged since I posted first - the computer is infected with Win32/Patched.AC in the system file winlogon.exe (C:\Windows\System32\winlogon.exe). The computer has been used since first posting about the problem, but there has been no attempts at removing the infection. It is beyond my skill level if I have no assistance.

New logs as requested:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Admin at 10:04:49,07 on 24.12.2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2038.1204 [GMT 8:00]

AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VistaDriveIcon\VistaDrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Admin\Рабочий стол\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.google.com
mStart Page = about:blank
uURLSearchHooks: H - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Яндекс.Бар: {91397d20-1446-11d4-8af4-0040ca1127b6} - c:\program files\yandex\yandexbarie\yndbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [VistaIcon] c:\program files\vistadriveicon\VistaDrv.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [VistaIcon] c:\program files\vistadriveicon\VistaDrv.exe
dRun: [asdfjnkads.exe] c:\asdfjnkads.exe\asdfjnkads.exe
dRunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%\System32\rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\custom.inf,NewUserFirstLogonInstall,0
dRunOnce: [IE7_011] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7_012] rundll32 advpack.dll,LaunchINFSectionEx IE7int.inf,AfterUserStart,,4,N
StartupFolder: c:\documents and settings\admin\главное меню\программы\автозагрузка\igfxtray.exe
StartupFolder: c:\docume~1\admin\5d29~1\4a66~1\60c2~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Google ВикиКомментарии... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: QQ - c:\program files\tencent\qqintl\bin\AddEmotion.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\7tv2qnah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/?clid=40795
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\7tv2qnah.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\7tv2qnah.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Fast Dial: fastdial@telega.phpnet.us - %profile%\extensions\fastdial@telega.phpnet.us
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Яндекс.Бар: yasearch@yandex.ru - %profile%\extensions\yasearch@yandex.ru
FF - Ext: Past Modern: {81514210-E22A-4e69-93D5-E1EFD45B4620} - %profile%\extensions\{81514210-E22A-4e69-93D5-E1EFD45B4620}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [2008-8-22 308248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-12-12 28552]
R0 PsBoot;Panda boot driver;c:\windows\system32\drivers\PsBoot.sys [2010-12-22 30280]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 129992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112456]
S2 gupdate;Служба Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-15 136176]

=============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2010-12-22 08:15:10 30280 ----a-w- c:\windows\system32\drivers\PsBoot.sys
2010-12-12 14:53:16 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-12-12 14:53:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 14:53:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-12 14:53:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 14:53:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 10:10:23 -------- d-----w- c:\docume~1\admin\applic~1\Panda Security
2010-12-12 10:07:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-12-12 03:00:02 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-12-12 02:59:53 -------- d-----w- c:\program files\Panda Security
2010-12-12 02:05:18 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-12-12 02:05:18 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-12-12 02:05:18 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-12-12 02:05:18 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-12-12 02:05:18 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-12-12 02:05:17 -------- d-----w- c:\program files\Trojan Remover
2010-12-12 02:05:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-12-12 02:05:17 -------- d-----w- c:\docume~1\admin\applic~1\Simply Super Software
2010-12-11 14:54:14 -------- d-----w- c:\docume~1\admin\applic~1\AVG10
2010-12-11 14:53:18 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-11 14:52:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-11 14:35:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-11 13:52:33 733 ----a-w- c:\windows\uduqaxuwibiqo.dll
2010-12-11 13:51:32 -------- d-----w- c:\windows\pss
2010-12-11 13:30:34 733 ----a-w- c:\windows\uhusobuzitoway.dll
2010-12-11 09:39:27 -------- d-----w- C:\Yandex
2010-12-09 04:40:06 731 ----a-w- c:\windows\ufefesuf.dll
2010-12-09 02:26:44 731 ----a-w- c:\windows\otanukonejiqal.dll
2010-12-08 12:06:48 731 ----a-w- c:\windows\ecuwevanuza.dll
2010-12-08 07:26:01 731 ----a-w- c:\windows\ewudevip.dll
2010-12-07 10:21:38 731 ----a-w- c:\windows\usesilar.dll
2010-12-06 10:36:54 731 ----a-w- c:\windows\itafoxosivolup.dll
2010-12-01 11:46:45 106496 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2010-12-01 11:46:45 106496 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2010-12-01 11:46:45 106496 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-12-01 11:46:45 -------- d-----w- c:\program files\common files\Tencent
2010-12-01 11:46:32 -------- d-----w- c:\program files\Tencent
2010-12-01 11:46:12 -------- d-----w- c:\docume~1\admin\applic~1\Tencent

==================== Find3M ====================

2010-12-12 10:42:41 1721344 ----a-w- c:\windows\explorer.exe
2010-10-24 19:31:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-24 19:31:07 411368 ----a-w- c:\windows\system32\deployJava1.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_ rev.LV01 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x891A9446]<<
c:\windows\system32\ntoskrnl.exe Корпорация Майкрософт Операционная система Microsoft® Windows®
c:\windows\system32\drivers\ACPI.sys Корпорация Майкрософт Операционная система Microsoft® Windows®
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x891af504]; MOV EAX, [0x891af580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x891C5AB8]
3 CLASSPNP[0xF7667FD7] -> nt!IofCallDriver[0x804E1397] -> \Device\0000006f[0x89AFB910]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E1397] -> [0x895C6030]
\Driver\iaStor[0x891A6F38] -> IRP_MJ_CREATE -> 0x891A9446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV011C__#4&3886a29&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x891A9292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 10:06:43,45 ===============

Attached Files


"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:35 AM

Posted 24 December 2010 - 05:21 AM

Hi siobhain and :welcome:

Merry Christmas ! :)


I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.


Regards,
Georgi :hello:

cXfZ4wS.png


#5 siobhain

siobhain
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 24 December 2010 - 05:35 AM

Thank you immensely Georgi! I enjoy doing stuff like this, but without easy access to a Windows XP install disc, I'm a little nervous should I make a mistake. So I appreciate your guiding me through the clean-up.

Merry Christmas to you :)

Best Regards!
"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:35 AM

Posted 24 December 2010 - 07:31 AM

Hello siobhain ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit TDL4 component and Trojan.SpyEyE. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



STEP 1



I suggest you to uninstall uTorrent as well !

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software



STEP 2



We need to uninstall Trojan Remover as it can interfere with the fix.


Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Trojan Remover

Additional instructions can be found here if needed.



STEP 3



Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi :hello:

cXfZ4wS.png


#7 siobhain

siobhain
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 26 December 2010 - 09:51 AM

Thanks Georgi, I hope you had a Marry Christmas!

Steps 2 and 3 were done. I didn't remove uTorrent as it is used for legitimate reasons, although my girlfriend does do some file sharing and I am certain this is how she has become so badly infected. I will advise her of the problems associated, but you know how girlfriends can be :)

Log file is below!



ComboFix 10-12-25.02 - Admin 26.12.2010 22:40:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2038.1609 [GMT 8:00]
Running from: c:\documents and settings\Admin\Рабочий стол\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\igfxtray.exe
c:\documents and settings\Admin\Application Data\igxpgd32.dat
c:\documents and settings\All Users\Документы\Server\admin.txt
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\MFILES
c:\program files\Internet Explorer\usp10.dll
c:\windows\del.bat
c:\windows\KB611311.log
c:\windows\system32\Пузыри.scr
c:\windows\system32\AutoIE.ini
c:\windows\system32\Config.cfg
c:\windows\system32\gbvgbv00.exe
c:\windows\system32\gbvgbv01.exe
c:\windows\system32\gbvgbv06.exe
c:\windows\system32\Oeminfo.ini
c:\windows\system32\ormsgse.axz
c:\windows\system32\replace.xml
c:\windows\system32\ssField Lines.scr
c:\windows\system32\ssRibbons.scr
c:\windows\system32\SYSINTERNALS_BLUESCREEN.SCR
D:\ssshall

----- BITS: Possible infected sites -----

hxxp://download.yandex.ru
hxxp://soft.export.yandex.ru
c:\windows\regedit.exe . . . is infected!!

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
.

2010-12-26 14:39 . 2010-05-24 02:46 30280 ----a-w- c:\windows\system32\drivers\PsBoot.sys
2010-12-26 07:54 . 2010-12-26 07:56 -------- d-----w- c:\documents and settings\Admin\Application Data\Installer
2010-12-24 11:17 . 2010-12-25 10:58 -------- d-----w- C:\Somewhere In Time
2010-12-12 14:53 . 2010-12-12 14:53 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-12-12 14:53 . 2010-11-29 09:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 14:53 . 2010-12-12 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-12 14:53 . 2010-12-12 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 14:53 . 2010-11-29 09:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 10:10 . 2010-12-12 10:10 -------- d-----w- c:\documents and settings\Admin\Application Data\Panda Security
2010-12-12 10:07 . 2010-12-12 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-12-12 03:00 . 2009-06-30 02:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-12-12 02:59 . 2010-12-12 10:07 -------- d-----w- c:\program files\Panda Security
2010-12-12 02:06 . 2010-12-12 02:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-11 14:54 . 2010-12-11 14:54 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG10
2010-12-11 14:53 . 2010-12-11 14:53 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-11 14:52 . 2010-12-12 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-11 14:35 . 2010-12-11 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-12-11 13:52 . 2010-12-11 13:52 733 ----a-w- c:\windows\uduqaxuwibiqo.dll
2010-12-11 13:30 . 2010-12-11 13:30 733 ----a-w- c:\windows\uhusobuzitoway.dll
2010-12-11 09:39 . 2010-12-11 09:39 -------- d-----w- C:\Yandex
2010-12-09 04:40 . 2010-12-09 04:40 731 ----a-w- c:\windows\ufefesuf.dll
2010-12-09 02:26 . 2010-12-09 02:26 731 ----a-w- c:\windows\otanukonejiqal.dll
2010-12-08 12:06 . 2010-12-08 12:06 731 ----a-w- c:\windows\ecuwevanuza.dll
2010-12-08 07:26 . 2010-12-08 07:26 731 ----a-w- c:\windows\ewudevip.dll
2010-12-07 10:21 . 2010-12-07 10:21 731 ----a-w- c:\windows\usesilar.dll
2010-12-06 10:36 . 2010-12-06 10:36 731 ----a-w- c:\windows\itafoxosivolup.dll
2010-12-04 13:40 . 2010-12-04 13:40 -------- d-----w- c:\program files\Common Files\Skype
2010-12-01 11:46 . 2010-12-01 11:46 106496 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2010-12-01 11:46 . 2010-12-01 11:46 106496 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2010-12-01 11:46 . 2010-12-01 11:46 106496 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-12-01 11:46 . 2010-12-01 11:46 -------- d-----w- c:\program files\Common Files\Tencent
2010-12-01 11:46 . 2010-12-01 11:46 -------- d-----w- c:\program files\Tencent
2010-12-01 11:46 . 2010-12-01 11:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Tencent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-12 10:42 . 2008-08-19 16:22 1721344 ----a-w- c:\windows\explorer.exe
2010-10-24 19:31 . 2010-10-24 19:31 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-24 19:31 . 2010-09-15 01:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

------- Sigcheck -------

[-] 2008-08-19 . 6A104BA98D99D53AB0C91825CE659FC6 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-15 . 097EBC0D94F0E2380E34467969F388AF . 509440 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe


[-] 2008-08-19 . 23B7D3F3F5EC8FEEA75EC381C71CBD5E . 579072 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-08-19 . 40B6EA7C0D015C1C7589D6C522E6788C . 952832 . . [7.00.6000.20861] . . c:\windows\system32\wininet.dll

[-] 2010-12-12 . 839103EB4FEAC446CA7E3ED3BB12629C . 1721344 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-08-21 . 66452823532746FA58EFEDBA320F46A2 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2008-08-19 . B8B35F99DADAA5459FBA639F20045FE2 . 30208 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe


c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2010-06-01 10336584]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2010-06-01 10336584]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 06:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 06:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-08-19 30208]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IE7_011"="shell32" [X]
"ZZZZ2_FirstLogonSetting"="advpack.dll" [2008-08-19 124928]
"IE7_012"="advpack.dll" [2008-08-19 124928]

c:\documents and settings\Admin\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [22.08.2008 1:33 308248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12.12.2010 11:00 28552]
R0 PsBoot;Panda boot driver;c:\windows\system32\drivers\PsBoot.sys [26.12.2010 22:39 30280]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [17.06.2010 12:41 129992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [09.08.2010 13:53 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [27.05.2010 17:39 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [21.07.2010 21:02 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [30.04.2010 12:46 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [21.07.2010 21:02 112456]
S2 gupdate;Служба Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15.09.2010 11:20 136176]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [15.09.2010 9:30 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 03:20]

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
IE: Google ВикиКомментарии... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: QQ - c:\program files\Tencent\QQIntl\Bin\AddEmotion.htm
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\7tv2qnah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/?clid=40795
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Fast Dial: fastdial@telega.phpnet.us - %profile%\extensions\fastdial@telega.phpnet.us
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Яндекс.Бар: yasearch@yandex.ru - %profile%\extensions\yasearch@yandex.ru
FF - Ext: Past Modern: {81514210-E22A-4e69-93D5-E1EFD45B4620} - %profile%\extensions\{81514210-E22A-4e69-93D5-E1EFD45B4620}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-asdfjnkads.exe - c:\asdfjnkads.exe\asdfjnkads.exe
AddRemove-Everest - c:\program files\Everest\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-26 22:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1132)
c:\windows\system32\setupapi.dll
.
Completion time: 2010-12-26 22:46:45
ComboFix-quarantined-files.txt 2010-12-26 14:46

Pre-Run: 17 442 332 672 байт свободно
Post-Run: 17 788 887 040 байт свободно

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /execute /fastdetect

- - End Of File - - 669E2F03F49467D92BD9977D3D993EFE

Edited by siobhain, 26 December 2010 - 09:54 AM.

"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:35 AM

Posted 27 December 2010 - 07:26 AM

Hello siobhain and Merry Christmas. Posted Image



STEP 1


We are going to need to download a file to extract the system files from.

Please go here and download WindowsXP-KB936929-SP3-x86-ENU.exe to your desktop.

Next open notepad and copy/paste the text in the codebox below into it:

@echo Unpacking files ...  
@echo (This window will close when it's done)
@echo off
MKdir C:\SP3
WindowsXP-KB936929-SP3-x86-ENU.exe -x: C:\SP3 /quiet
cd C:\SP3\i386
expand explorer.ex_ C:\SP3\explorer.exe
expand winlogon.ex_ C:\SP3\winlogon.exe
expand regedit.ex_ C:\SP3\regedit.exe
expand tcpip.sy_ C:\SP3\tcpip.sys
expand user32.dl_ C:\SP3\user32.dll
expand wininet.dl_ C:\SP3\wininet.dll
expand sfcfiles.dl_ C:\SP3\sfcfiles.dll
expand ctfmon.ex_ C:\SP3\ctfmon.exe
expand wuauclt.ex_ C:\SP3\wuauclt.exe
del %0

Save this as expand.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on expand.bat & allow it to run.
A folder C:\SP3\i386 will be created with all the files in Service pack 3 in it.
A couple of files will be expanded to C:\SP3.



STEP 2


We need to execute a CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic367389.html/

Collect::
c:\windows\uduqaxuwibiqo.dll
c:\windows\uhusobuzitoway.dll
c:\windows\ufefesuf.dll
c:\windows\otanukonejiqal.dll
c:\windows\ecuwevanuza.dll
c:\windows\ewudevip.dll
c:\windows\usesilar.dll
c:\windows\itafoxosivolup.dll
Fcopy::
C:\SP3\explorer.exe | c:\windows\explorer.exe
C:\SP3\winlogon.exe | c:\windows\system32\winlogon.exe
C:\SP3\regedit.exe | c:\windows\regedit.exe
C:\SP3\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
C:\SP3\user32.dll | c:\windows\system32\user32.dll
C:\SP3\wininet.dll | c:\windows\system32\wininet.dll
C:\SP3\sfcfiles.dll | c:\windows\system32\sfcfiles.dll
C:\SP3\ctfmon.exe | c:\windows\system32\ctfmon.exe
C:\SP3\wuauclt.exe | c:\windows\System32\wuauclt.exe
Folder::
c:\documents and settings\Admin\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\MFAData
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000
"UpdatesOverride"=dword:00000000
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
KILLALL::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

3. Close any open browsers.

4. Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also reply back to let me know how things are going.



Regards,
Georgi

cXfZ4wS.png


#9 siobhain

siobhain
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 27 December 2010 - 11:54 AM

Georgi,

Things are going well. Already I am noticing a vast improvement with the computer operation, but I realize it is still infected. Nasty little bugger this is, but ComboFix and yourself are a great combination! Here is the log:

ComboFix 10-12-26.01 - Admin 28.12.2010 0:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2038.1439 [GMT 8:00]
Running from: c:\documents and settings\Admin\Рабочий стол\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Рабочий стол\CFScript.txt
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

file zipped: c:\windows\ecuwevanuza.dll
file zipped: c:\windows\ewudevip.dll
file zipped: c:\windows\itafoxosivolup.dll
file zipped: c:\windows\otanukonejiqal.dll
file zipped: c:\windows\uduqaxuwibiqo.dll
file zipped: c:\windows\ufefesuf.dll
file zipped: c:\windows\uhusobuzitoway.dll
file zipped: c:\windows\usesilar.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\AVG10
c:\documents and settings\Admin\Application Data\AVG10\cfgall\usergui.cfg
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10\Cfg\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\csl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\erd.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\idp.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrvvsapi.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\malrep.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\setup.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\spsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\updatecomps.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\falsealarm.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\krnlall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\srmall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\updateall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\userall.cfg
c:\documents and settings\All Users\Application Data\AVG10\Chjw\944e7a944e71e8\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\944e7a944e71e8\avgcchfi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\944e7a944e71e8\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\944e7a944e71e8\avgcchmi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\dc40198440196694\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\dc40198440196694\avgcchfi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\dc40198440196694\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\dc40198440196694\avgcchmi.dat
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfgex.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfgex.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgrkt.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgrkt.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.10
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.5
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.6
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.7
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.8
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.9
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrmac.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrmac.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgtbapi.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgtbapi.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.5
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.10
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.5
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.6
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.7
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.8
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.9
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\history.xml
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log.lock
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvcache.dat
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvglbl.dat
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000004.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000008.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000009.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000010.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\AntiRkx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Antivirx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Avgx86.msi
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\AVIsx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\basex.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\COREx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\COREx86.msi
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Emailsx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\GUIx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\idatx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\IDPx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\lng_usx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\OnlnScx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\ResShldx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\SrchSrfx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\SSHttpBx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\TDIDrvx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Toolbarx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\TuneUpx.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Update2x.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Updatex.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\vc_red.cab
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\vc_red.msi
c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\xplx.cab
c:\documents and settings\All Users\Application Data\MFAData
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20101211-143502.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20101212-120949.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20101211-143502.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20101212-120949.log
c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\dm_marketing_message-hi.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ico-blue-bg.gif
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\OK.png
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Smart-Scanning.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SmartScanning-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Social-Networking.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SocialNetworking-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Thumbs.db
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ui-background.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\dm_marketing_message-en-us.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10antirkx1170ry.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10antivirx1170qt.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avgx1170ct.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avisx1170gy.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10basex1170ur.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10emailsx1170rq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10guix1170lm.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10idatx1170qq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10idpx1170zy.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10lng_usx1170la.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10onlnscx1170vt.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10rdstx1170nv.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10resshldx1170gz.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10srchsrfx1170fu.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10sshttpbx1170qg.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10tdidrvx1170xr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10toolbarx1170zz.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10tuneupx1170wq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10update2x1170jm.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10updatex1170yu.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10xplx1170zt.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mis7be.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mps11fx.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10corex426pq.bin
c:\documents and settings\All Users\Application Data\MFAData\state.dat
c:\windows\ecuwevanuza.dll
c:\windows\ewudevip.dll
c:\windows\itafoxosivolup.dll
c:\windows\otanukonejiqal.dll
c:\windows\uduqaxuwibiqo.dll
c:\windows\ufefesuf.dll
c:\windows\uhusobuzitoway.dll
c:\windows\usesilar.dll

c:\windows\regedit.exe . . . is infected!!

c:\windows\system32\winlogon.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\sp3\explorer.exe --> c:\windows\explorer.exe
c:\sp3\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\sp3\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
c:\sp3\user32.dll --> c:\windows\system32\user32.dll
c:\sp3\wininet.dll --> c:\windows\system32\wininet.dll
c:\sp3\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
c:\sp3\ctfmon.exe --> c:\windows\system32\ctfmon.exe
c:\sp3\wuauclt.exe --> c:\windows\System32\wuauclt.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-27 to 2010-12-27 )))))))))))))))))))))))))))))))
.

2010-12-27 16:47 . 2010-12-27 16:47 -------- d-----w- c:\program files\microsoft frontpage
2010-12-27 16:42 . 2008-04-13 21:42 111104 ----a-w- c:\windows\system32\wuauclt.exe
2010-12-27 16:32 . 2010-12-27 16:33 -------- d-----w- C:\SP3
2010-12-26 07:54 . 2010-12-26 07:56 -------- d-----w- c:\documents and settings\Admin\Application Data\Installer
2010-12-24 11:17 . 2010-12-25 10:58 -------- d-----w- C:\Somewhere In Time
2010-12-12 14:53 . 2010-12-12 14:53 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-12-12 14:53 . 2010-11-29 09:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 14:53 . 2010-12-12 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-12 14:53 . 2010-12-12 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 14:53 . 2010-11-29 09:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 10:10 . 2010-12-12 10:10 -------- d-----w- c:\documents and settings\Admin\Application Data\Panda Security
2010-12-12 10:07 . 2010-12-12 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-12-12 03:00 . 2009-06-30 02:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-12-12 02:59 . 2010-12-12 10:07 -------- d-----w- c:\program files\Panda Security
2010-12-12 02:06 . 2010-12-12 02:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-11 14:53 . 2010-12-11 14:53 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-11 09:39 . 2010-12-11 09:39 -------- d-----w- C:\Yandex
2010-12-04 13:40 . 2010-12-04 13:40 -------- d-----w- c:\program files\Common Files\Skype
2010-12-01 11:46 . 2010-12-01 11:46 106496 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2010-12-01 11:46 . 2010-12-01 11:46 106496 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2010-12-01 11:46 . 2010-12-01 11:46 106496 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-12-01 11:46 . 2010-12-01 11:46 -------- d-----w- c:\program files\Common Files\Tencent
2010-12-01 11:46 . 2010-12-01 11:46 -------- d-----w- c:\program files\Tencent
2010-12-01 11:46 . 2010-12-01 11:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Tencent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-24 19:31 . 2010-10-24 19:31 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-24 19:31 . 2010-09-15 01:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

------- Sigcheck -------

[-] 2008-04-13 21:42 . F2BC2DCB41ECC9378EF1F7D5892B23A1 . 507904 . . [------] . . c:\windows\system32\winlogon.exe

[-] 2008-04-13 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\system32\wuauclt.exe

[-] 2008-04-13 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-04-13 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\system32\wininet.dll

[-] 2008-04-13 21:42 . 8B3FC63DBAE8263ED555FF8215C73887 . 1033728 . . [------] . . c:\windows\explorer.exe

[-] 2008-04-13 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2008-04-13 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((( SnapShot@2010-12-26_14.45.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-27 16:48 . 2010-12-27 16:48 16384 c:\windows\temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2010-06-01 10336584]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2010-06-01 10336584]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 06:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 06:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IE7_011"="shell32" [X]
"ZZZZ2_FirstLogonSetting"="advpack.dll" [2008-08-19 124928]
"IE7_012"="advpack.dll" [2008-08-19 124928]

c:\documents and settings\Admin\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [22.08.2008 1:33 308248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12.12.2010 11:00 28552]
R0 PsBoot;Panda boot driver;c:\windows\system32\drivers\PsBoot.sys [28.12.2010 0:49 30280]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [17.06.2010 12:41 129992]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [09.08.2010 13:53 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [27.05.2010 17:39 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [21.07.2010 21:02 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [30.04.2010 12:46 111624]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [21.07.2010 21:02 112456]
S2 gupdate;Служба Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15.09.2010 11:20 136176]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [15.09.2010 9:30 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 03:20]

2010-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
IE: Google ВикиКомментарии... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: QQ - c:\program files\Tencent\QQIntl\Bin\AddEmotion.htm
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\7tv2qnah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/?clid=40795
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Fast Dial: fastdial@telega.phpnet.us - %profile%\extensions\fastdial@telega.phpnet.us
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Яндекс.Бар: yasearch@yandex.ru - %profile%\extensions\yasearch@yandex.ru
FF - Ext: Past Modern: {81514210-E22A-4e69-93D5-E1EFD45B4620} - %profile%\extensions\{81514210-E22A-4e69-93D5-E1EFD45B4620}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-28 00:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1120)
c:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(4064)
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\msxml3.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-12-28 00:50:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-27 16:50
ComboFix2.txt 2010-12-26 14:46

Pre-Run: 17 019 838 464 байт свободно
Post-Run: 16 978 886 656 байт свободно

- - End Of File - - 100E1310F69A1B6ED61C39995C7451CF
"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:35 AM

Posted 27 December 2010 - 03:01 PM

Hi siobhain, :)


  • Please click this link-->Virustotal
  • When the Virustotal page has finished loading, click the Browse button and navigate to c:\windows\regedit.exe and click Submit.
  • note, if VT says these files have already been analysed, make sure you click re-analyse file now.
  • Please post back the results of the scan in your next post.
  • Please repeat the step for these files as well.

    c:\windows\system32\winlogon.exe
    c:\windows\explorer.exe
    c:\windows\system32\user32.dll
    c:\windows\system32\wininet.dll
    c:\windows\system32\sfcfiles.dll
    c:\windows\system32\ctfmon.exe
    c:\windows\System32\wuauclt.exe


Regards,
Georgi

cXfZ4wS.png


#11 siobhain

siobhain
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 27 December 2010 - 11:47 PM

Hi Georgi!

Results of the scan in the order you listed:


C:\Windows\regedit.exe

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
regedit.exe
Submission date:
2010-12-28 03:04:34 (UTC)
Current status:
queued (#2) queued (#2) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 -
Antiy-AVL 2.0.3.7 2010.12.28 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.28 -
BitDefender 7.2 2010.12.28 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 -
Comodo 7208 2010.12.27 -
DrWeb 5.0.2.03300 2010.12.28 -
Emsisoft 5.1.0.1 2010.12.28 -
eSafe 7.0.17.0 2010.12.26 -
eTrust-Vet 36.1.8064 2010.12.27 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.28 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.28 -
Ikarus T3.1.1.90.0 2010.12.28 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.28 -
McAfee 5.400.0.1158 2010.12.28 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.28 -
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 -
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
Symantec 20101.3.0.103 2010.12.28 -
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7854 2010.12.28 -
ViRobot 2010.12.27.4222 2010.12.27 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional information
Show all
MD5 : f633ba5701a919a58592899ad173112d
SHA1 : 6403ee495590f68f452a6e3fa087ed3102eed29b
SHA256: b74c9b03028923ea5caec1dae3d38819aa6f39cc8c03557f01389b5ac3aabb85


c:\windows\system32\winlogon.exe

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
winlogon.exe
Submission date:
2010-12-28 03:09:12 (UTC)
Current status:
queued queued analysing finished
Result:
34/ 42 (81.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 TR/Spy.507904.67
Antiy-AVL 2.0.3.7 2010.12.28 Trojan/Win32.Patched.gen
Avast 4.8.1351.0 2010.12.27 Win32:Bamital-AQ
Avast5 5.0.677.0 2010.12.27 Win32:Bamital-AQ
AVG 9.0.0.851 2010.12.28 Win32/Patched
BitDefender 7.2 2010.12.28 Win32.Loader.S
CAT-QuickHeal 11.00 2010.12.27 Trojan.Patched.JW
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 W32/Bamital.E
Comodo 7208 2010.12.27 TrojWare.Win32.Patched.kl
DrWeb 5.0.2.03300 2010.12.28 Win32.Dat.13
Emsisoft 5.1.0.1 2010.12.28 Virus.Win32.Bamital!IK
eSafe 7.0.17.0 2010.12.26 -
eTrust-Vet 36.1.8064 2010.12.27 Win32/Bamital.AP
F-Prot 4.6.2.117 2010.12.27 W32/Bamital.E
F-Secure 9.0.16160.0 2010.12.28 Win32.Loader.S
Fortinet 4.2.254.0 2010.12.27 W32/Pached.KL!tr
GData 21 2010.12.28 Win32.Loader.S
Ikarus T3.1.1.90.0 2010.12.28 Virus.Win32.Bamital
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 Virus
Kaspersky 7.0.0.125 2010.12.28 Trojan.Win32.Patched.kl
McAfee 5.400.0.1158 2010.12.28 W32/Bamital.a
McAfee-GW-Edition 2010.1C 2010.12.27 W32/Bamital.a
Microsoft 1.6402 2010.12.27 Virus:Win32/Bamital.H
NOD32 5737 2010.12.27 Win32/Bamital.EQ
nProtect 2010-12-27.01 2010.12.27 Win32.Loader.S
Panda 10.0.2.7 2010.12.27 W32/Patched.AC
PCTools 7.0.3.5 2010.12.28 Virus.Bamital
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 Trojan.Win32.Generic.5241EEB9
Sophos 4.60.0 2010.12.27 Troj/Patched-O
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
Symantec 20101.3.0.103 2010.12.28 Trojan.Bamital!inf
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 PE_PATCHED.SMC
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 PE_PATCHED.SMC
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7854 2010.12.28 Trojan.Win32.Generic!BT
ViRobot 2010.12.28.4223 2010.12.28 Win32.Patched.AF
VirusBuster 13.6.115.0 2010.12.27 Trojan.Bamital.Gen.3
Additional information
Show all
MD5 : f2bc2dcb41ecc9378ef1f7d5892b23a1
SHA1 : 00d88568422ec6ee745bcd447dacbe9d63ed1d94
SHA256: 79f7b2dbb375044d8d4705b0c2b36da1ea5374f7ae893cbe8864ca2ebbcd5fb9


c:\windows\explorer.exe

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
explorer.exe
Submission date:
2010-12-28 03:32:17 (UTC)
Current status:
queued (#3) queued analysing finished
Result:
4/ 43 (9.3%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 TR/Spy.1033728.15
Antiy-AVL 2.0.3.7 2010.12.28 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.28 -
BitDefender 7.2 2010.12.28 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 -
Comodo 7210 2010.12.28 -
DrWeb 5.0.2.03300 2010.12.28 -
Emsisoft 5.1.0.1 2010.12.28 -
eSafe 7.0.17.0 2010.12.26 Win32.TRSpy
eTrust-Vet 36.1.8064 2010.12.27 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.28 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.28 -
Ikarus T3.1.1.90.0 2010.12.28 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.28 -
McAfee 5.400.0.1158 2010.12.28 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.28 -
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 Trojan.Win32.Generic.5241EAC3
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
Symantec 20101.3.0.103 2010.12.28 Suspicious.Mystic
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7854 2010.12.28 -
ViRobot 2010.12.28.4223 2010.12.28 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional information
Show all
MD5 : b4f4369fd47354807f2f83ca54d6f335
SHA1 : 167daff1faad3ee9ccfb994a71a91a7a082d881a
SHA256: 7d67858d4bf93663d839aba8d66e3d9fb3913e0156421badc6b046d744f4cfc0


c:\windows\system32\user32.dll

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
user32.dll
Submission date:
2010-12-28 03:36:46 (UTC)
Current status:
queued (#6) queued analysing finished
Result:
1/ 42 (2.4%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 -
Antiy-AVL 2.0.3.7 2010.12.28 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.28 -
BitDefender 7.2 2010.12.28 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 -
Comodo 7210 2010.12.28 -
DrWeb 5.0.2.03300 2010.12.28 -
eSafe 7.0.17.0 2010.12.26 Win32.Banker
eTrust-Vet 36.1.8064 2010.12.27 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.28 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.28 -
Ikarus T3.1.1.90.0 2010.12.28 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.28 -
McAfee 5.400.0.1158 2010.12.28 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.28 -
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 -
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
Symantec 20101.3.0.103 2010.12.28 -
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7854 2010.12.28 -
ViRobot 2010.12.28.4223 2010.12.28 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional information
Show all
MD5 : b26b135ff1b9f60c9388b4a7d16f600b
SHA1 : 08fe9ff1fe9b8fd237adedb10d65fb0447b91fe5
SHA256: acd0ae7b4d5f871e148276c6cc4ae3a216e33f67fc78d827c16986e1f945438c


c:\windows\system32\wininet.dll

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
wininet.dll
Submission date:
2010-12-28 03:39:26 (UTC)
Current status:
queued (#4) queued (#5) analysing finished
Result:
0/ 40 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AntiVir 7.11.0.201 2010.12.27 -
Antiy-AVL 2.0.3.7 2010.12.28 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.28 -
BitDefender 7.2 2010.12.28 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 -
Comodo 7210 2010.12.28 -
Emsisoft 5.1.0.1 2010.12.28 -
eSafe 7.0.17.0 2010.12.26 -
eTrust-Vet 36.1.8064 2010.12.27 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.28 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.28 -
Ikarus T3.1.1.90.0 2010.12.28 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.28 -
McAfee 5.400.0.1158 2010.12.28 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.28 -
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 -
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7854 2010.12.28 -
ViRobot 2010.12.28.4223 2010.12.28 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional information
Show all
MD5 : 7a4f775abb2f1c97def3e73afa2faedd
SHA1 : 3cf1eb1003a5342fd0f3495b67ff9bb90c855413
SHA256: e83a063ed7c796071371e4cf3736b4f4b0572b66219c8cc8458a6a894645e14e


c:\windows\system32\sfcfiles.dll

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
sfcfiles.dll
Submission date:
2010-12-28 03:45:08 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 -
Antiy-AVL 2.0.3.7 2010.12.28 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.28 -
BitDefender 7.2 2010.12.28 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 -
Comodo 7210 2010.12.28 -
DrWeb 5.0.2.03300 2010.12.28 -
Emsisoft 5.1.0.1 2010.12.28 -
eSafe 7.0.17.0 2010.12.26 -
eTrust-Vet 36.1.8064 2010.12.27 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.28 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.28 -
Ikarus T3.1.1.90.0 2010.12.28 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.28 -
McAfee 5.400.0.1158 2010.12.28 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.28 -
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 -
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
Symantec 20101.3.0.103 2010.12.28 -
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7854 2010.12.28 -
ViRobot 2010.12.28.4223 2010.12.28 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional information
Show all
MD5 : 9dd07af82244867ca36681ea2d29ce79
SHA1 : 2e7878a9116000d708f1938858e6d0f584565fd2
SHA256: 84926a50cb38c322d1cdfd4c0d5f8ffe3b2ef3080b3401f5d5ae8cbd0a719685


c:\windows\system32\ctfmon.exe

3 VT Community user(s) with a total of 64 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 2 reputation credit(s) say(s) this sample is malware.
File name:
ctfmon.exe
Submission date:
2010-12-28 04:34:43 (UTC)
Current status:
queued queued analysing finished
Result:
1/ 43 (2.3%)

VT Community

goodware
Safety score: 97.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 -
Antiy-AVL 2.0.3.7 2010.12.28 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.28 -
BitDefender 7.2 2010.12.28 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 -
Comodo 7210 2010.12.28 -
DrWeb 5.0.2.03300 2010.12.28 -
Emsisoft 5.1.0.1 2010.12.28 -
eSafe 7.0.17.0 2010.12.26 Win32.Banker
eTrust-Vet 36.1.8065 2010.12.28 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.28 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.28 -
Ikarus T3.1.1.90.0 2010.12.28 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.28 -
McAfee 5.400.0.1158 2010.12.28 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.28 -
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 -
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
Symantec 20101.3.0.103 2010.12.28 -
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7856 2010.12.28 -
ViRobot 2010.12.28.4223 2010.12.28 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional information
Show all
MD5 : 5f1d5f88303d4a4dbc8e5f97ba967cc3
SHA1 : 99cb7370f16773c8e2d0c86fe805ec638ab126e9
SHA256: 5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1


c:\windows\system32\wuauclt.exe

6 VT Community user(s) with a total of 1505 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 2 reputation credit(s) say(s) this sample is malware.
File name:
wuauclt.exe
Submission date:
2010-12-28 04:43:34 (UTC)
Current status:
queued queued (#1) analysing finished
Result:
0/ 43 (0.0%)

VT Community

goodware
Safety score: 99.9%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.28.00 2010.12.27 -
AntiVir 7.11.0.201 2010.12.27 -
Antiy-AVL 2.0.3.7 2010.12.28 -
Avast 4.8.1351.0 2010.12.27 -
Avast5 5.0.677.0 2010.12.27 -
AVG 9.0.0.851 2010.12.28 -
BitDefender 7.2 2010.12.28 -
CAT-QuickHeal 11.00 2010.12.27 -
ClamAV 0.96.4.0 2010.12.28 -
Command 5.2.11.5 2010.12.28 -
Comodo 7210 2010.12.28 -
DrWeb 5.0.2.03300 2010.12.28 -
Emsisoft 5.1.0.1 2010.12.28 -
eSafe 7.0.17.0 2010.12.26 -
eTrust-Vet 36.1.8065 2010.12.28 -
F-Prot 4.6.2.117 2010.12.27 -
F-Secure 9.0.16160.0 2010.12.28 -
Fortinet 4.2.254.0 2010.12.27 -
GData 21 2010.12.28 -
Ikarus T3.1.1.90.0 2010.12.28 -
Jiangmin 13.0.900 2010.12.27 -
K7AntiVirus 9.74.3361 2010.12.27 -
Kaspersky 7.0.0.125 2010.12.28 -
McAfee 5.400.0.1158 2010.12.28 -
McAfee-GW-Edition 2010.1C 2010.12.27 -
Microsoft 1.6402 2010.12.27 -
NOD32 5737 2010.12.27 -
Norman 6.06.12 2010.12.27 -
nProtect 2010-12-27.01 2010.12.27 -
Panda 10.0.2.7 2010.12.27 -
PCTools 7.0.3.5 2010.12.28 -
Prevx 3.0 2010.12.28 -
Rising 22.80.00.00 2010.12.28 -
Sophos 4.60.0 2010.12.27 -
SUPERAntiSpyware 4.40.0.1006 2010.12.28 -
Symantec 20101.3.0.103 2010.12.28 -
TheHacker 6.7.0.1.106 2010.12.27 -
TrendMicro 9.120.0.1004 2010.12.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.28 -
VBA32 3.12.14.2 2010.12.27 -
VIPRE 7856 2010.12.28 -
ViRobot 2010.12.28.4223 2010.12.28 -
VirusBuster 13.6.115.0 2010.12.27 -
Additional information
Show all
MD5 : 62bb79160f86cd962f312c68c6239bfd
SHA1 : c2de8148e1a8e8f097e3a40232ddb04efd0a7cc6
SHA256: 2fa2506b5c8b4469d2b36c803cceac15e831c3f8a4af065aca72da8f385f24c0
"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:35 AM

Posted 28 December 2010 - 08:20 PM

Hello siobhain, :)


Sorry for the delay.


  • Please restart your computer.
  • Windows Recovery Console, will show up as a new option when booting up your computer. Select the Windows Recovery Console option when you start your computer.
    Posted Image
  • If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console...by number (usually 1)
    When you are prompted to do so, type the Administrator password. If you have not set an administrator password, leave it blank and just press "Enter".
    Posted Image
  • When you get to the Recovery Console prompt, type in the following commands and press "Enter" after each

ren explorer.exe explorer.old
copy c:\SP3\explorer.exe c:\windows

ren regedit.exe regedit.old
copy c:\SP3\regedit.exe c:\windows

cd system32
ren winlogon.exe winlogon.old
copy c:\SP3\winlogon.exe c:\windows\system32

ren userinit.exe userinit.old
copy C:\SP3\userinit.exe c:\windows\system32

ren wuauclt.exe wuauclt.old
copy c:\SP3\wuauclt.exe c:\windows\System32

ren ctfmon.exe ctfmon.old
copy c:\SP3\ctfmon.exe c:\windows\system32

ren wininet.dll wininet.old
copy c:\SP3\wininet.dll c:\windows\system32

ren user32.dll user32.old
copy c:\SP3\user32.dll c:\windows\system32

ren sfcfiles.dll sfcfiles.old
copy c:\SP3\sfcfiles.dll c:\windows\system32

cd drivers
ren tcpip.sys tcpip.old
copy c:\SP3\tcpip.sys c:\windows\system32\drivers


All letters are case sensitive


* If you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No as something hasn't gone correctly.

*You should see a message '1 file copied' (for each file we are dealing with). If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths. (If you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the files back to their original names by typing the followings commands then hitting Enter after each
.

cd c:\Windows
ren explorer.old explorer.exe
ren regedit.old regedit.exe
cd c:\windows\system32
ren winlogon.old winlogon.exe
ren userinit.old userinit.exe
ren wuauclt.old wuauclt.exe
ren ctfmon.old ctfmon.exe
ren wininet.old wininet.dll
ren user32.old user32.dll
ren sfcfiles.old sfcfiles.dll
cd c:\windows\system32\drivers
ren tcpip.old tcpip.sys


All letters are case sensitive


Once you have complete the commands, or if you had any issues, enter the following command to exit the Recovery Console:
exit - this will reboot your system as normal.


Let me know how you get on.


IMPORTANT NOTE - If you do not get that option please let me know in your next reply.

Posted Image


Regards,
Georgi

cXfZ4wS.png


#13 siobhain

siobhain
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 28 December 2010 - 10:25 PM

Hey Georgi,

I keep getting the message "Access Denied" whenever trying to copy from the C:\SP3\ directory.. also I get that message when I cd C:\SP3

Any suggestions?
"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

#14 siobhain

siobhain
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 29 December 2010 - 09:17 AM

OK, I got past the "Access Denied" issue, and then managed to rename all of the files with the exception of this one

ren userinit.exe userinit.old
copy C:\SP3\userinit.exe c:\windows\system32

due to userinit.exe not being in the C:\SP3 directory, nor the C:\SP3\i386 directory.

I was able to boot back up into Windows .. Panda Cloud Antivirus suggests one second that there is a virus in winlogon.exe, and then the next that there are no problems. I'll wait now until your next suggestion :)

Regards,
siobhain
"What you do speaks so loudly that I cannot hear what you say" - Ralph Waldo Emerson

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:35 AM

Posted 29 December 2010 - 02:15 PM

Hello siobhain, :)

Sorry for the delay.

Great work at resolving the "Access is denied" error.

I was going to recommend you to use the command AllowAllPaths = TRUE but I'm glad you managed to figure it out yourself. Well done ! :clapping:



I want to see which files failed to pass the Signature Checking again and if Combofix can disinfect some of them for us.


Please delete your copy of Combofix and download a fresh one from the link below.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Close/disable all antivirus and anti malware programs so they do not interfere with the running of ComboFix.

Let it run and post back with the logfile.



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users