Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Patched.GB


  • This topic is locked This topic is locked
15 replies to this topic

#1 anon102

anon102

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 10 January 2011 - 09:50 PM

Was using google tonight and clicked on a web page link. A couple of minutes later I am getting an AVG pop-up in regards to the above mentioned virus. Any ideas on how to remove? I was using Firefox at the time of the virus being found.

I didn't have AVG remove.

Regards,

Ryan

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 10 January 2011 - 09:54 PM

Hello anon102 ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IF YOU USE AVG IT MUST BE UNINSTALLED OR THIS WILL NOT RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to anon.exe and try again.

Thanks,
tea

***Can a Mod please move this to MR? :)

Edited by teacup61, 10 January 2011 - 09:55 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 anon102

anon102
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 January 2011 - 07:01 PM

Tea,

Thanks for the quick response. I downloaded and ran Combo Fix after uninstalling AVG. During the process it looks like it found the bad file and did something with it. Log Below.
Regards,
Ryan

ComboFix 11-01-11.01 - Ryan 01/11/2011 17:16:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2943.2443 [GMT -6:00]
Running from: c:\documents and settings\Ryan\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\confin.sys
c:\documents and settings\Ryan\Application Data\inst.exe
c:\documents and settings\Ryan\Application Data\SystemProc
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.

2010-12-27 04:35 . 2010-12-27 04:35 -------- d-----w- c:\program files\iPod
2010-12-27 04:35 . 2010-12-27 04:37 -------- d-----w- c:\program files\iTunes
2010-12-27 04:35 . 2010-12-27 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-27 04:32 . 2010-09-28 21:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-12-27 04:32 . 2010-09-28 21:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-12-27 04:32 . 2010-12-27 04:32 -------- d-----w- c:\program files\Bonjour
2010-12-24 01:29 . 2010-12-24 01:29 -------- d-----w- c:\documents and settings\Guest\Application Data\AVG10
2010-12-18 17:29 . 2010-12-18 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2010-12-18 02:01 . 2010-12-18 02:01 -------- d-----w- c:\documents and settings\Ryan\Application Data\HamsterSoft
2010-12-16 04:14 . 2010-12-16 04:14 -------- d-----w- c:\program files\Haali
2010-12-16 04:13 . 2010-12-16 04:13 33019 ----a-w- c:\windows\system32\CoreAAC-uninstall.exe
2010-12-16 04:13 . 2010-12-16 04:13 -------- d-----w- c:\program files\AC3Filter
2010-12-16 04:12 . 2010-12-16 04:12 -------- d-----w- c:\program files\AviSynth 2.5
2010-12-16 04:12 . 2010-12-16 04:30 -------- d-----w- c:\program files\Avi2Dvd
2010-12-16 02:30 . 2010-12-16 02:30 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\WinAVI
2010-12-16 02:30 . 2010-12-16 02:30 -------- d-----w- c:\documents and settings\Ryan\Application Data\WinAVI
2010-12-16 02:30 . 2010-12-16 02:30 -------- d-----w- c:\program files\All in One Converter
2010-12-15 04:34 . 2010-12-16 02:48 -------- d-----w- c:\program files\MyVideoConverter
2010-12-15 04:34 . 2010-12-15 04:34 -------- d-----w- c:\windows\system32\drivers\mycodec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-12 01:37 . 2010-11-12 01:37 53248 ----a-r- c:\documents and settings\Ryan\Application Data\Microsoft\Installer\{23C12370-3A82-4558-B727-F345B473AD87}\ARPPRODUCTICON.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\Ryan\Start Menu\Programs\Startup\
Free Music Zilla.lnk - c:\program files\Free Music Zilla\FMZilla.exe [N/A]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 03:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-06-26 23:50 212992 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 16:24 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-26 22:16 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\T-Mobile Connection Manager]
2009-01-12 16:00 20248 ----a-w- c:\program files\T-Mobile\Connection Manager\TMobileCM.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2009 8:59 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1029456]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2010 10:18 AM 136176]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/8/2010 7:59 PM 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/8/2010 7:59 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/8/2010 7:59 PM 121576]
S3 TMobileRcAppSvc;T-Mobile RcApp Svc;c:\program files\T-Mobile\Connection Manager\RcAppSvc.exe [1/5/2009 5:48 PM 120088]
.
Contents of the 'Scheduled Tasks' folder

2011-01-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 02:59]

2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-22 16:18]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-22 16:18]

2010-12-16 c:\windows\Tasks\HP DArC Task 2003-06-26 13:16ewlett-Packard2003-06-26 13:16p psc 1300 seriesA3652443A372B157BFD83129692C2C2475483DE7218905109.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 23:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z016&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\ossgi1ko.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z016&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
.
- - - - ORPHANS REMOVED - - - -

BHO-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
HKLM-Run-SansaDispatch - c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
HKLM-Explorer_Run-RTHDBPL - c:\autoexec.exe
Notify-avgrsstarter - (no file)
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-11 17:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\autoexec.exe????????????????? ??????????$????????????????????????#???????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-11 17:25:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-11 23:25

Pre-Run: 59,938,234,368 bytes free
Post-Run: 60,699,828,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - ED88F90E56758D4E6FEC3C6DA9ED3F57

#4 anon102

anon102
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 12 January 2011 - 02:45 PM

After reading the forum rules I don't think I was supposed to post logs here. Can someone direct me to the right place? Tea was helping me but i think the mod needed to move the post or something.

Thanks,
Ryan

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:23 PM

Posted 12 January 2011 - 06:24 PM

Hello Ryan and Teacup,

I'm moving this topic to the proper forum.

@ Ryan, I'm deleting your other two topics to avoid confusion.

Back to you Teacup,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 anon102

anon102
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 12 January 2011 - 07:09 PM

Thanks Orange Blossom

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 12 January 2011 - 07:33 PM

Hi there,

Hpw is it running now please? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 anon102

anon102
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 13 January 2011 - 03:38 PM

Tea,

I wasn't sure if there was anything else i needed to check before using the PC. I believe combo fix took care of the issue.

I will give it a try tonight. BTW what is the consensus for best free anti virus program by BC members?

Thanks,
Ryan

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 13 January 2011 - 03:43 PM

Hello Ryan,

Avira is one of the best, and it's what I use on my own system. http://www.free-av.com/

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Are your scans coming up clean now? Please do let me know how it does when you use it. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 anon102

anon102
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 14 January 2011 - 09:10 PM

Tea,

I removed Combofix and re-installed AVG. After trying 3 scans it always frooze about 30 percent in. So i uninstalled AVG and downloaded Avaria. It has found the following:

NT.DLL with TR/Hijacker.gen which it moved to quarantine.

Should I try anything else?

Thanks,
Ryan

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 15 January 2011 - 12:30 PM

Hi Ryan :)

Well, depends on the full path. It could be completely benign.....did it give you the full path to that file?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 anon102

anon102
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 15 January 2011 - 01:40 PM

Tea,

I am attaching scans below. The first scan found one virus. The second scan found more. I am wondering if these have been there for some time, but AVG just missed them.

SCAN 1
Starting to scan executable files (registry).
C:\WINDOWS\system32\NT.DLL
[DETECTION] Is the TR/Hijacker.Gen Trojan

The registry was scanned ( '1761' files ).


Beginning disinfection:
The registration entry <HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools> was removed successfully.
C:\WINDOWS\system32\NT.DLL
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\ProviderOrder> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '4f00a6bc.qua'.


SCAN 2

Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\15\1a25d2cf-7513ddda
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.KE exploit
--> gogol/Emailer.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.KE exploit
--> gogol/Familie.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.J Java virus
--> gogol/PhonBook.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.HN exploit
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\16\5f68fa90-3acc4d44
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\43\7fe5a66b-124784d5
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AO Java virus
--> Is.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AO Java virus
--> MyName.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AN Java virus
--> Phone.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AP Java virus
C:\Documents and Settings\Ryan\Local Settings\temp\Av-test.txt
[DETECTION] Contains code of the Eicar-Test-Signature virus
C:\Program Files\GrabIt\Download\Modern Marvels\Modern Marvels Heavy Metals 720p HDTV x264-MiRAGETV immortalseed.rar
[0] Archive type: RAR
[DETECTION] Contains recognition pattern of the DR/Dldr.Small.anus dropper
--> Setup.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.Small.anus dropper
--> fileextract.exe
[DETECTION] Is the TR/Dldr.Small.anus Trojan
C:\Program Files\GrabIt\Download\Modern Marvels\Modern Marvels Money 720p HDTV x264-MiRAGETV immortalseed.rar
[0] Archive type: RAR
[DETECTION] Contains recognition pattern of the DR/Dldr.Small.anus dropper
--> Setup.exe
[DETECTION] Contains recognition pattern of the DR/Dldr.Small.anus dropper
--> fileextract.exe
[DETECTION] Is the TR/Dldr.Small.anus Trojan
Begin scan in 'F:\' <DRV1_VOL1>

Beginning disinfection:
C:\Program Files\GrabIt\Download\Modern Marvels\Modern Marvels Money 720p HDTV x264-MiRAGETV immortalseed.rar
[DETECTION] Is the TR/Dldr.Small.anus Trojan
[NOTE] The file was moved to the quarantine directory under the name '4eb04df0.qua'.
C:\Program Files\GrabIt\Download\Modern Marvels\Modern Marvels Heavy Metals 720p HDTV x264-MiRAGETV immortalseed.rar
[DETECTION] Is the TR/Dldr.Small.anus Trojan
[NOTE] The file was moved to the quarantine directory under the name '56276258.qua'.
C:\Documents and Settings\Ryan\Local Settings\temp\Av-test.txt
[DETECTION] Contains code of the Eicar-Test-Signature virus
[NOTE] The file was moved to the quarantine directory under the name '04b338b7.qua'.
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\43\7fe5a66b-124784d5
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AP Java virus
[NOTE] The file was moved to the quarantine directory under the name '624c7745.qua'.
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\16\5f68fa90-3acc4d44
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
[NOTE] The file was moved to the quarantine directory under the name '27395a7b.qua'.
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\15\1a25d2cf-7513ddda
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.HN exploit
[NOTE] The file was moved to the quarantine directory under the name '5826681f.qua'.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 15 January 2011 - 01:45 PM

HHmmm.....no way to tell if it's old. But as long as it's gone now, I'm not concerned. Clear the vault and have another scan....let me know if it comes up clean. How is it running today please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 anon102

anon102
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 16 January 2011 - 12:12 AM

Last scan came up clean. I think we should be fine now. Thank you for all of your assistance in this process.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:23 PM

Posted 16 January 2011 - 12:29 AM

You're most welcome, Ryan. :thumbup2:

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users