Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Explorer.exe file


  • This topic is locked This topic is locked
7 replies to this topic

#1 kanigetts

kanigetts

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 10 January 2011 - 05:22 PM

AVG warns of multiple infections of the windows.0\explorer.exe file hundreds of times a day. Computer hangs with empty desktop when most anything is tried. I booted in Safe Mode with Networking to run DDS and GMER programs. Newest MS Malicious Software tool found nothing. Under Safe Mode searches go to random websites in Firefox.


DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Steve at 10:56:57.84 on Mon 01/10/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2514 [GMT -8:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\My Documents\Downloads\windows-kb890830-v3.14.exe
c:\00f686a20c9db08918\mrtstub.exe
C:\WINDOWS.0\system32\MRT.exe
C:\Documents and Settings\Steve\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Steve\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybotsd\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\steve\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EPSON Stylus CX4800 Series] c:\windows.0\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\sharei~1.lnk - c:\program files\encounter web window\wQuickStart.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\styler.lnk - c:\docume~1\steve\applic~1\microsoft\installer\{e9ecf354-2422-4fdb-9abf-d8adac0ef941}\_585b207a.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\yuuguu.lnk - c:\program files\yuuguu\yuuguu.exe
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\lights~1.lnk - c:\program files\windows home server\LightsOutClientGUI.exe
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\pdnotes\PDNotes.exe
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\SnagIt32.exe
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\WINDOW~1.LNK -
StartupFolder: c:\docume~1\alluse~1.0\startm~1\programs\startup\window~2.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybotsd\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {6BB58BE4-F189-430E-8290-EE1D84B11F49} = 68.105.29.108,68.105.29.110,209.244.0.3,68.4.16.30,204.97.212.10
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: Msiinstall - {0abee2ff-28c7-406a-8fb4-18e9788b7ae4} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\bulcmfmn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\bulcmfmn.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\dimdim\plugin\application\npDimDimControl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: StartAid Online Bookmarks: startaid@startaid.com - %profile%\extensions\startaid@startaid.com
FF - Ext: Tab Sidebar: TabSidebar@blueprintit.co.uk - %profile%\extensions\TabSidebar@blueprintit.co.uk
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: GoogleSharing: googlesharing@extension.thoughtcrime.org - %profile%\extensions\googlesharing@extension.thoughtcrime.org
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows.0\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows.0\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows.0\system32\drivers\Lbd.sys [2010-3-14 64288]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows.0\system32\drivers\SI3114.sys [2010-5-26 73768]
R1 Avgtdix;AVG TDI Driver;c:\windows.0\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1375992]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows.0\system32\drivers\avgldx86.sys [2010-9-7 251728]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows.0\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/04/24 23:59:08];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S2 GreenPrint;GreenPrint;c:\program files\greenprint\gpsrht01.exe [2010-3-30 427048]
S2 gupdate1c9ce8a6eaa14fe;Google Update Service (gupdate1c9ce8a6eaa14fe);c:\program files\google\update\GoogleUpdate.exe [2009-5-6 133104]
S2 LoClntService;LightsOut Client Service;c:\program files\windows home server\LightsOutClientService.exe [2010-6-22 49152]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-12-16 188736]
S2 nlsX86cc;NLS Service;c:\windows.0\system32\NLSSRV32.EXE [2009-12-16 65856]
S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2009-12-29 185632]
S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows.0\system32\drivers\Scutum50.sys [2009-12-29 19072]
S2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-4-29 185640]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2009-10-7 376680]
S3 Ambfilt;Ambfilt;c:\windows.0\system32\drivers\Ambfilt.sys [2009-4-22 1684736]
S3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-22 7168]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows.0\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows.0\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows.0\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 BackupReader;BackupReader;c:\windows.0\system32\drivers\BackupReader.sys [2009-4-20 44784]
S3 cpuz132;cpuz132;c:\windows.0\system32\drivers\cpuz132_x32.sys [2009-4-24 12672]
S3 dfmirage;dfmirage;c:\windows.0\system32\drivers\dfmirage.sys [2009-3-28 31896]
S3 etdrv;etdrv;c:\windows.0\etdrv.sys [2009-4-22 17488]
S3 GVTDrv;GVTDrv;c:\windows.0\system32\drivers\GVTDrv.sys [2009-4-22 24944]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-1-31 19056]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows.0\system32\drivers\rt2870.sys [2009-12-29 779136]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional business 2009.sp2\RpcAgentSrv.exe [2009-4-23 98488]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows.0\system32\drivers\WsAudioDevice_383.sys [2010-12-9 16640]

=============== File Associations ===============

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2011-01-10 17:27:22 -------- d-----w- C:\00f686a20c9db08918
2011-01-09 21:18:38 -------- d-----w- c:\docume~1\alluse~1.0\applic~1\bHkDa04200
2011-01-07 19:36:23 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Add-in Express Ltd
2011-01-07 19:36:02 -------- d-----w- c:\program files\Add-in Express
2010-12-24 07:52:18 -------- d-----w- c:\program files\Lavalys
2010-12-15 03:36:47 -------- d-----w- c:\program files\Intel Corporation
2010-12-12 15:35:13 -------- d-----w- c:\program files\Symmetricom
2010-12-12 15:34:31 -------- d-----w- c:\windows.0\Downloaded Installations

==================== Find3M ====================

2011-01-10 17:03:23 7304 ----a-w- c:\windows.0\TMP0001.TMP
2010-12-15 03:43:36 6656 ----a-w- c:\windows.0\system32\lpcio.dll
2010-11-17 07:41:00 323624 ----a-w- c:\windows.0\system32\wiaaut.dll
2010-10-23 01:58:06 33019 ----a-w- c:\windows.0\system32\CoreAAC-uninstall.exe

============= FINISH: 10:57:33.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:56 PM

Posted 10 January 2011 - 05:36 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#3 kanigetts

kanigetts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 10 January 2011 - 06:46 PM

Thanks for your super quick response. I scanned with ESET and it found 4 infected files. The Java updater has always acted kind of funny and there was some attempted activity by it just before these symptoms presented themselves.

C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\40\10711a28-60101116 a variant of Win32/Kryptik.JNK trojan

C:\WINDOWS.0\system32\nt.dll Win32/Bamital.EZ trojan

C:\WINDOWS.0\system32\winlogon.exe Win32/Patched.GN trojan

Operating memory Win32/Patched.GN trojan

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:56 PM

Posted 11 January 2011 - 02:24 PM

Good evening. :)

Do you have access to another computer running Windows XP Pro Service Pack 3 that you could liberate a couple of files from?

So long, and thanks for all the fish.

 

 


#5 kanigetts

kanigetts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 11 January 2011 - 03:02 PM

I have a laptop running the XP Tablet Edition with sp3. It also has the kryptik infection but in a different location and without symptoms. I found it while running eset on it. I'm attempting to clear that one and others using Avast pre boot scan (On the Tablet, not the computer you are helping me with). What files do I need? I have a Windows Home Server and a couple of laptops running Windows 7.

#6 kanigetts

kanigetts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 11 January 2011 - 04:37 PM

The Avast pre boot scan seems to have cleared out the trojan on my tablet and so its files may be of use for this computer after all. An Eset scan of that tablet revealed no infection. I will delete the backups on WHS for the tablet but I don't know how to delete any restore points it may have. Part of the infection was in the hiberfil.sys file. This computer remains infected (not the tablet)and I don't think I can clean it with Avast since it is infecting a protected system file.

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:56 PM

Posted 12 January 2011 - 03:50 PM

Good evening. :L)

We'll see if an automatic fix works first, and if that doesn't, we'll go with a manual file replacement which is a little more involved.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:56 PM

Posted 17 January 2011 - 03:26 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users