Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Win32:Patched-UE [Trj] infection

  • This topic is locked This topic is locked
23 replies to this topic

#1 Itchylyn


  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 14 January 2011 - 01:01 PM

I first started noticing something was strange when, almost whenever I googled something, Google would warn me that the site I was trying to access was infected, or it would claim that the coding on the site I was trying to access was insufficient and that it was therefore not able to load the page, or finally it would redirect me to iGoogle. I had also noticed that there was often a time-lag delay whenever I typed something - both online and in text files. The latter problem has been occuring for some time, but the Google issue is only a few days old. I don't know whether those issues are related to the current infection, but they are what caused me to run these scans in the first place. Apart from those issues, I haven't noticed any other suspicious behaviors.

So far, I have run a Spybot search (no results) and an Avast search. Avast found two infected files, both with the location and name of:


And the infection was given as being from:

Win32: Patched-UE [Trj]

Avast wasn't able to fix or remove the files, as they were in use.

After that, I ran MalwareBytes, which didn't detect anything. Then, I ran HitmanPro, which detected four infected files. Two it couldn't remove (one being explorer.exe again, and the other being winlogin.exe), while the other two it was able to safely quarantine.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Marianne MacDonald at 16:30:11,14 on 14.01.2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.3062.1911 [GMT 1:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programfiler\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Programfiler\Alwil Software\Avast5\AvastSvc.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programfiler\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Programfiler\Lenovo\PM Driver\PMSveH.exe
c:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programfiler\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programfiler\Pure Networks\Network Magic\nmsrvc.exe
c:\programfiler\lenovo\system update\suservice.exe
C:\Programfiler\Pure Networks\Network Magic\nmapp.exe
C:\Programfiler\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Programfiler\Microsoft IntelliPoint\ipoint.exe
C:\Programfiler\Microsoft IntelliPoint\dpupdchk.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Philips\Philips Songbird\extensions\philips-autoplay@philips.com\application\PhilipsSongbirdLauncher.exe
C:\Programfiler\Lenovo\Bluetooth Software\BTTray.exe
C:\Programfiler\OpenOffice.org 2.3\program\soffice.exe
C:\Programfiler\OpenOffice.org 2.3\program\soffice.BIN
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marianne MacDonald\Skrivebord\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fnsr%3D1%26ui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
BHO: Koblingshjelpeprogram for Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programfiler\fellesfiler\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programfiler\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\programfiler\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programfiler\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programfiler\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\programfiler\windows live toolbar\msntb.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\programfiler\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\programfiler\messenger\msmsgs.exe" /background
uRun: [PhilipsSongbirdLauncher] c:\programfiler\philips\philips songbird\extensions\philips-autoplay@philips.com\application\PhilipsSongbirdLauncher.exe
mRun: [PMHandler] c:\progra~1\lenovo\pmdriv~1\PMHandler.exe
mRun: [SynTPEnh] c:\programfiler\synaptics\syntp\SynTPEnh.exe
mRun: [TPFNF7] c:\programfiler\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPWAUDAP] c:\programfiler\lenovo\hotkey\TpWAudAp.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\programfiler\realtek\audio\installshield\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\programfiler\fellesfiler\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\programfiler\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] c:\progra~1\felles~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\programfiler\fellesfiler\installshield\updateservice\issch.exe" -start
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\programfiler\lenovo\awaytask\AwaySch.EXE
mRun: [AMSG] c:\programfiler\thinkvantage\amsg\Amsg.exe /startup
mRun: [nmapp] "c:\programfiler\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [DiskeeperSystray] "c:\programfiler\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\programfiler\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\programfiler\thinkpad\connectutilities\ACWLIcon.exe
mRun: [Corel Photo Downloader] c:\programfiler\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [Symantec PIF AlertEng] "c:\programfiler\fellesfiler\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\programfiler\fellesfiler\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\programfiler\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programfiler\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\programfiler\microsoft intellipoint\ipoint.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\programfiler\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\programfiler\fellesfiler\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\programfiler\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\marian~1\start-~1\progra~1\oppstart\openof~1.lnk - c:\programfiler\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\adobeg~1.lnk - c:\programfiler\fellesfiler\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\bttray.lnk - c:\programfiler\lenovo\bluetooth software\BTTray.exe
IE: &Windows Live Search - c:\programfiler\windows live toolbar\msntb.dll/search.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send til &Bluetooth-enhet... - c:\programfiler\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programfiler\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programfiler\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programfiler\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\programfiler\fellesfiler\pure networks shared\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\felles~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tphotkey - c:\programfiler\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli ACGina
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marian~1\progra~1\mozilla\firefox\profiles\0g8crt7y.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fnsr%3D1%26ui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programfiler\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\programfiler\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: LiveJournal Addons: homo_nudus@livejournal.com - %profile%\extensions\homo_nudus@livejournal.com
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: LJlogin: {ad4ee9e5-49c7-4589-acf3-db9fa76a95c9} - %profile%\extensions\{ad4ee9e5-49c7-4589-acf3-db9fa76a95c9}
FF - Ext: Simple Timer: simpletimer@grbradt.org - %profile%\extensions\simpletimer@grbradt.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programfiler\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-6-10 165584]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2006-5-24 10240]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-10 17744]
R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;c:\programfiler\symantec\liveupdate\AluSchedulerSvc.exe [2007-12-25 554352]
R2 avast! Antivirus;avast! Antivirus;c:\programfiler\alwil software\avast5\AvastSvc.exe [2010-3-3 40384]
R2 FNF5SVC;Fn+F5 Service;c:\programfiler\lenovo\hotkey\FnF5svc.exe [2007-5-11 54832]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\programfiler\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\programfiler\alwil software\avast5\AvastSvc.exe [2010-3-3 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\programfiler\alwil software\avast5\AvastSvc.exe [2010-3-3 40384]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 FingerprintServer;Fingerprint Server;c:\windows\system32\fplogonserv.exe --> c:\windows\system32\FpLogonServ.exe [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-12-23 102656]
S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2008-2-29 30464]

=============== Created Last 30 ================

2011-01-14 14:33:35 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-14 13:56:13 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-14 13:55:54 -------- d-----w- c:\docume~1\alluse~1\progra~1\Hitman Pro
2011-01-14 12:21:20 -------- d-----w- c:\docume~1\marian~1\progra~1\Malwarebytes
2011-01-14 12:21:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-14 12:21:12 -------- d-----w- c:\docume~1\alluse~1\progra~1\Malwarebytes
2011-01-14 12:21:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-14 12:21:08 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware
2010-12-28 14:30:35 -------- d-----w- C:\Caesar3
2010-12-20 17:52:10 -------- d-----w- c:\docume~1\marian~1\progra~1\Philips
2010-12-20 17:49:55 -------- d-----w- c:\docume~1\marian~1\progra~1\Philips-Songbird
2010-12-20 17:49:55 -------- d-----w- c:\docume~1\marian~1\lokale~1\progra~1\Philips-Songbird
2010-12-20 17:48:44 -------- d-----w- c:\programfiler\Philips
2010-12-20 17:47:39 -------- d-----w- c:\windows\system32\LogFiles
2010-12-15 21:14:00 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 21:13:22 45568 ------w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2011-01-11 23:07:18 3140 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-01-11 23:06:33 88 --sh--r- c:\windows\system32\37E7CD59B6.sys
2010-11-18 18:15:48 81920 ------w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:23:40 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:23:38 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:23:37 78336 ------w- c:\windows\system32\ieencode.dll
2010-11-06 00:23:37 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:26:15 389120 ------w- c:\windows\system32\html.iec
2010-10-28 13:09:51 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 14:00:05 1853312 ------w- c:\windows\system32\win32k.sys

============= FINISH: 16:31:18,01 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:39 PM

Posted 14 January 2011 - 03:22 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Can you also tell me if you have access to another machine running XP Pro Service Pack 3 - it may come in handy if we need to "borrow" a couple of files.

So long, and thanks for all the fish.



#3 Itchylyn

  • Topic Starter

  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 14 January 2011 - 04:31 PM

Good evening, Noviciate, and thank you for replying so quickly. I used the ESET and this is what I got:

C:\WINDOWS\system32\nt.dll Win32/Bamital.EZ trojan
C:\WINDOWS\system32\winlogon.exe Win32/Patched.GN trojan
Operating memory Win32/Patched.GN trojan

Sadly, I don't have access to another computer that runs XP Pro Service pack 3, and sadly, I don't have the installation disc for the system, either, so reformatting might not be possible. I do have access to a computer that runs Windows Vista Service Pack 2, though - no idea if that's of any use, but thought I should mention it just in case.

Thanks again for your help - I really appreciate it, and the clarity of your instructions.

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:39 PM

Posted 14 January 2011 - 05:05 PM

Well, fingers crossed we won't need to work around this as you may be lucky with the required files being held as backups on your system.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.



#5 Itchylyn

  • Topic Starter

  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 14 January 2011 - 05:46 PM

I've followed the instructions with the downloading of ComboFix and the Recovery Console, which were installed and opened without issue. The antivirus was turned off.

The running of ComboFix seemed to go as it's supposed to, ending with it saying it had found an infection in "nt.dll" - any other information I don't remember, as the screen was only up for a few seconds. After that, the computer started rebooting.

And it's still rebooting, more than ten minutes later. Each time, it gets to the point where it would normally return to the desktop, before showing a brief glimpse of a program (possibly Combofix?), before rebooting yet again.

Is there an amount of time that it's supposed to take, or has it crashed in some way? What should I do?

#6 Itchylyn

  • Topic Starter

  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 14 January 2011 - 07:02 PM

After it had rebooted for well over an hour, I selected the Recovery Console option that appears during start up. While it attempted to run, it quickly switched to an error screen with this message:

A problem has been detected and Windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps: check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated.

Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical information:

*** STOP: 0x0000007B (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000)

After that, I shut down the computer, and then restarted - after which, it returned to its cycle of rebooting. So for the time being, I turned it off for the night.

Any advice about what to do now would be appreciated! :)

#7 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:39 PM

Posted 15 January 2011 - 02:24 PM

Good evening. :)

I'll need a little time as this isn't the usual behaviour that results from CF. Do you have access to a USB flashdrive, 256Mb will do, that you can wipe clean and use for a bootable OS that we are probably going to need?

So long, and thanks for all the fish.



#8 Itchylyn

  • Topic Starter

  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 15 January 2011 - 02:38 PM

Hello, and thank you!

I do have a portable USB drive, and it's large enough (1.88GB). It's currently been emptied, but if there's anything else that needs to be done with it, please let me know.

Thank you again for all the help, I really appreciate it. Is there a way of knowing how long the process will take - i.e., are we talking about 48 hours, or two weeks?

#9 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:39 PM

Posted 15 January 2011 - 02:58 PM

If all goes well, i'd say it should be resolved before the weekend's out. The nasty in question infects/replaces system files and in order to remove the infection you need to remove the files, but doing this will kill the system. You have to have these files, which is why they are targeted, and so you need clean versions to replace the nasty ones.
For some reason CF didn't manage to successfully remove and replace these files and so your machine is now without what it needs to boot.

I'm just checking a few things and i'll post again shortly.

So long, and thanks for all the fish.



#10 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:39 PM

Posted 15 January 2011 - 03:15 PM

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to your Desktop - it doesn't have to be the infected PC.
  • Insert your USB drive.
  • Click Start > My Computer, right click your USB drive and select Format > Quick format.
  • Double click the unetbootin-xpud-windows-latest.exe file that you just downloaded.
  • Click Run then OK - this will install a little bootable OS on your USB.
  • After it has completed, do not choose to reboot the clean computer; simply close the installer.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB - directly or drag it there when it's downloaded.
  • If you are using a different PC to the sick one, remove the USB as this part is complete. If not, leave it where it is.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work. If it doesn't, let me know and we'll go for a different angle.
  • If necessary insert the USB stick into the sick PC and then boot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB before Windows starts loading
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Click the File icon on the left.
  • Expand mnt by clicking the little arrow to it's left.
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type bash driver.sh -f and then <ENTER>
  • You will be prompted to input a filename - enter the following:

    • nt.dll
  • Press <ENTER>.
  • If done succesfully, the script will search for copies of this file on your system.
  • After it has finished a report will be located in the USB drive as filefind.txt.
  • You need to locate this file, right click it and rename it to filefind1.txt.
  • Repeat the steps to search for these files as well, in turn, renaming the new filefind.txt as well to avoid overwriting it:

Please note - all text entries are case sensitive

Let me have the contents of the files, or let me know if you had any problems.

So long, and thanks for all the fish.



#11 Itchylyn

  • Topic Starter

  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 15 January 2011 - 04:30 PM

Tragically, it seems that I have hit a snag - that despite several attempts, I cannot seem to overcome.

I'm at the point where I'm in the xPUD program, looking for the driver.sh file, but I can't find it! I know it's on the USB drive (I checked it on the uninfected computer), but it doesn't show up in the files on the afflicted one. I believe I'm in the right area - there's an sda1 that seems to correspond to the computer, and a sda2 that seems to correspond to the USB drive, but there's no sign of driver.sh.

What should I do now?

#12 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:39 PM

Posted 15 January 2011 - 05:43 PM

You're just not willing to play the game, are you! :) Just to confirm, did you identify the folder that corresponds to the flashdrive, and then open it as you would with Windows, with a double click? It may be that I didn't clearly state two clicks to open, in which case i'll address that for next time.
If the file as on the flashdrive when it left the clean PC, it should be in the folder that corresponds to the folder on the infected one.

So long, and thanks for all the fish.



#13 Itchylyn

  • Topic Starter

  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 15 January 2011 - 07:05 PM

Progress has been made! Strangely enough, when I tried it a last time it worked how it was supposed to! (After reformatting the flash drive -again-, and putting the program on it, I copied the driver.sh file both directly in the drive itself, as well as in one of the folders. I'm not sure why, but when I ran things this time, the sdb1 folder appeared when it hadn't before.)

In any case, I was able to follow the rest of the instructions, and attached the files!

Attached Files

#14 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:39 PM

Posted 16 January 2011 - 03:29 PM

Good evening. :)

Fortunately the files you need are backed-up on you machine, so it's a little rename and copy and paste and that should, fingers crossed, be that.

Please read through all the instructions BEFORE you begin and ask any questions that you may have first.

  • I want you to boot into xPUD, just as you did last time.
  • Once you are up and running, I want you to identify the folder that corresponds to your hard drive, which is probably sda1, and double click it to open it.
  • The rest of this is just like using Windows, so you should breeze through it, given that you already did the hard bit.
  • The first file you want is: WINDOWS/ServicePackFiles/i386/explorer.exe - this is a clean copy of your infected one.
  • I want you to right click it and copy it - we'll keep the original where it is, just in case we need another copy for any reason.
  • You then need to go back to the WINDOWS folder and locate the existing copy of explorer.exe
  • Right click it and rename it to explorer.old - again we are keeping it safe, but disabled, just in case.
  • Now right click and paste the clean copy of explorer.exe into the same folder.
  • Now you need to go back and get a second file: WINDOWS/ServicePackFiles/i386/winlogon.exe and, again, copy it.
  • This time you need to head to the WINDOWS\system32 folder, locate winlogon.exe and rename it winlogon.old.
  • Paste the clean copy of winlogon.exe into the same folder and Bob should be your Auntie's husband.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and boot your PC into Normal Mode and let me know what happens.

I'm not sure why, but when I ran things this time, the sdb1 folder appeared when it hadn't before

It's a computer, so it's generally best to accept that it hates you and does these things from time to time due a silicon-type sense of humour!

So long, and thanks for all the fish.



#15 Itchylyn

  • Topic Starter

  • Members
  • 12 posts
  • Local time:10:39 PM

Posted 16 January 2011 - 04:18 PM

Well, since this is being written on the sick computer, I think it's safe to say that things are very much heading in the right direction! I followed your instructions, and all went well, but when I turned it on, the computer initially wouldn't load anything past the "loading personal settings" screen, but I theorise that this might have something to do with the fact that my mouse somehow got itself plugged into the wrong outlet before I turned the computer on.

However, third time I tried, and minus mouse this time, it did load, though not quite as normal - the "loading personal settings" message did linger for somewhat longer than usual, and I'm also noticing that the fan seems rather keener to run than it normally would be. Is something off, or am I just being jittery on my computer's behalf?

I have turned on Avast again - anything else I should do before we consider this venture an unqualified success? :)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users