Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by win32/olmarik.AJL trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 hgunags

hgunags

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 February 2011 - 11:18 AM

Hi, I have a winXP sp3 system with dual boot and just recently refused to go into the boot option screen instead, cursor was blinking and nothing happened. Rebooting the system didnt do any good. I installed a new hd with xp in it and moved my documents from the old hard drive. Scan with ESET and found out that the old HD was infected by olmarik.ajl in MBR and ESET was unable to clean it.
Any help would be really appreciated.

Below is the content of the DDS.txt:


DDS (Ver_10-12-12.02) - NTFSx86
Run by HGW at 3:35:14.29 on Mon 02/07/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2373 [GMT -8:00]

AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
FW: ZoneAlarm Pro Firewall *Enabled*

============== Running Processes ===============

E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\CheckPoint\ZAForceField\ForceField.exe
svchost.exe
E:\Program Files\ESET\ESET Smart Security\ekrn.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
E:\Program Files\ESET\ESET Smart Security\egui.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Documents and Settings\HGW\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - e:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - e:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [StartCCC] "e:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTSysVol] e:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [SBDrvDet] e:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] e:\windows\UpdReg.EXE
mRun: [PRONoMgr.exe] e:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [SoundMAXPnP] e:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "e:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [WD Drive Manager] e:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [ZoneAlarm Client] "e:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "e:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [egui] "e:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1296954815509
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296954810430
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;e:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 vsdatant;vsdatant;e:\windows\system32\vsdatant.sys [2011-2-5 486280]
R2 ekrn;ESET Service;e:\program files\eset\eset smart security\ekrn.exe [2010-11-4 810144]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;e:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;e:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 vsmon;TrueVector Internet Monitor;e:\windows\system32\zonelabs\vsmon.exe -service --> e:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;e:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
S3 nosGetPlusHelper;getPlus® Helper 3004;e:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-3 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;e:\windows\system32\drivers\wdcsam.sys [2011-2-5 11520]

=============== Created Last 30 ================

2011-02-07 09:41:23 -------- d-----w- e:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2011-02-07 04:55:19 -------- d-----w- e:\program files\TeaTimer (Spybot - Search & Destroy)
2011-02-07 04:55:19 -------- d-----w- e:\program files\SDHelper (Spybot - Search & Destroy)
2011-02-07 04:55:19 -------- d-----w- e:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-02-07 04:55:18 -------- d-----w- e:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-02-07 04:51:45 -------- d-----w- e:\program files\SpybotSDPortable
2011-02-06 09:15:43 -------- d-----w- e:\docume~1\hgw\applic~1\Malwarebytes
2011-02-06 09:15:31 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2011-02-06 09:15:30 -------- d-----w- e:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-06 09:15:27 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-02-06 09:15:27 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2011-02-06 09:11:53 -------- d-----w- e:\docume~1\hgw\locals~1\applic~1\Adobe
2011-02-06 08:37:11 73728 ----a-w- e:\windows\system32\javacpl.cpl
2011-02-06 08:37:10 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-02-06 08:19:26 -------- d-----w- e:\docume~1\hgw\locals~1\applic~1\ESET
2011-02-06 08:19:26 -------- d-----w- e:\docume~1\hgw\applic~1\ESET
2011-02-06 08:17:43 -------- d-----w- e:\program files\ESET
2011-02-06 07:29:50 -------- d-----w- e:\documents and settings\hgw\Downloads
2011-02-06 05:45:54 626012 ----a-w- E:\appbckp2.reg
2011-02-06 05:45:54 346 ----a-w- E:\appbckp1.reg
2011-02-06 05:36:30 -------- d-sh--w- e:\documents and settings\hgw\PrivacIE
2011-02-06 05:20:01 -------- d-sh--w- e:\documents and settings\hgw\IECompatCache
2011-02-06 05:14:17 -------- d-sh--w- e:\documents and settings\hgw\IETldCache
2011-02-06 05:07:48 7680 -c----w- e:\windows\system32\dllcache\iecompat.dll
2011-02-06 05:07:14 -------- d-----w- e:\windows\ie8updates
2011-02-06 05:07:08 602112 -c----w- e:\windows\system32\dllcache\msfeeds.dll
2011-02-06 05:07:08 55296 -c----w- e:\windows\system32\dllcache\msfeedsbs.dll
2011-02-06 05:07:08 247808 -c----w- e:\windows\system32\dllcache\ieproxy.dll
2011-02-06 05:07:08 1991680 -c----w- e:\windows\system32\dllcache\iertutil.dll
2011-02-06 05:07:08 12800 -c----w- e:\windows\system32\dllcache\xpshims.dll
2011-02-06 05:07:07 743424 -c----w- e:\windows\system32\dllcache\iedvtool.dll
2011-02-06 05:07:07 11080704 -c----w- e:\windows\system32\dllcache\ieframe.dll
2011-02-06 05:05:54 -------- dc-h--w- e:\windows\ie8
2011-02-06 04:49:05 974848 -c----w- e:\windows\system32\dllcache\mfc42.dll
2011-02-06 04:49:05 953856 -c----w- e:\windows\system32\dllcache\mfc40u.dll
2011-02-06 04:48:38 272128 -c----w- e:\windows\system32\dllcache\bthport.sys
2011-02-06 04:48:33 357248 -c----w- e:\windows\system32\dllcache\srv.sys
2011-02-06 04:48:28 617472 -c----w- e:\windows\system32\dllcache\comctl32.dll
2011-02-06 04:48:26 455680 -c----w- e:\windows\system32\dllcache\mrxsmb.sys
2011-02-06 04:48:20 471552 -c----w- e:\windows\system32\dllcache\aclayers.dll
2011-02-06 04:46:58 2189952 -c----w- e:\windows\system32\dllcache\ntoskrnl.exe
2011-02-06 04:46:58 2146304 -c----w- e:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-06 04:46:58 2024448 -c----w- e:\windows\system32\dllcache\ntkrpamp.exe
2011-02-06 04:46:57 2066816 -c----w- e:\windows\system32\dllcache\ntkrnlpa.exe
2011-02-06 04:46:07 1172480 -c----w- e:\windows\system32\dllcache\msxml3.dll
2011-02-06 04:46:05 203136 -c----w- e:\windows\system32\dllcache\rmcast.sys
2011-02-06 04:45:56 331776 -c----w- e:\windows\system32\dllcache\msadce.dll
2011-02-06 04:44:29 3558912 -c----w- e:\windows\system32\dllcache\moviemk.exe
2011-02-06 04:44:06 337408 -c----w- e:\windows\system32\dllcache\netapi32.dll
2011-02-06 04:39:16 218112 -c----w- e:\windows\system32\dllcache\wordpad.exe
2011-02-06 04:39:10 726528 -c--a-w- e:\windows\system32\dllcache\jscript.dll
2011-02-06 04:38:09 45568 -c----w- e:\windows\system32\dllcache\wab.exe
2011-02-06 04:37:47 590848 -c----w- e:\windows\system32\dllcache\rpcrt4.dll
2011-02-06 04:37:47 5120 ----a-w- e:\windows\system32\xpsp4res.dll
2011-02-06 04:37:19 -------- d-----w- e:\docume~1\hgw\applic~1\CheckPoint
2011-02-06 04:37:04 -------- d-----w- e:\program files\CheckPoint
2011-02-06 04:36:49 1238408 ----a-w- e:\windows\system32\zpeng25.dll
2011-02-06 04:36:49 -------- d-----w- e:\windows\system32\ZoneLabs
2011-02-06 04:35:51 274288 ----a-w- e:\windows\system32\mucltui.dll
2011-02-06 04:35:51 16736 ----a-w- e:\windows\system32\mucltui.dll.mui
2011-02-06 04:28:59 712704 ------w- e:\windows\system32\windowscodecs.dll
2011-02-06 04:28:59 69120 ------w- e:\windows\system32\wlanapi.dll
2011-02-06 04:28:59 346112 ------w- e:\windows\system32\windowscodecsext.dll
2011-02-06 04:28:59 32866 ------w- e:\windows\slrundll.exe
2011-02-06 04:28:59 276992 ------w- e:\windows\system32\wmphoto.dll
2011-02-06 04:28:58 -------- d-----w- e:\windows\system32\scripting
2011-02-06 04:28:58 -------- d-----w- e:\windows\system32\en
2011-02-06 04:28:58 -------- d-----w- e:\windows\system32\bits
2011-02-06 04:28:58 -------- d-----w- e:\windows\l2schemas
2011-02-06 04:28:04 -------- d-----w- e:\windows\ServicePackFiles
2011-02-06 04:27:55 294912 ------w- e:\program files\windows media player\dlimport.exe
2011-02-06 04:27:52 294912 -c----w- e:\windows\system32\dllcache\dlimport.exe
2011-02-06 04:25:42 19569 ----a-w- e:\windows\002879_.tmp
2011-02-06 04:06:23 -------- d-----w- e:\program files\Zone Labs
2011-02-06 04:06:15 -------- d-----w- e:\windows\Internet Logs
2011-02-06 02:00:35 -------- d-----w- e:\program files\common files\AntiGA 2.0 Addon Tools
2011-02-06 01:15:46 26144 ----a-w- e:\windows\system32\spupdsvc.exe
2011-02-06 01:15:46 -------- d-----w- e:\windows\system32\PreInstall
2011-02-06 01:15:45 -------- d--h--w- e:\windows\$hf_mig$
2011-02-06 01:13:45 21728 ----a-w- e:\windows\system32\wucltui.dll.mui
2011-02-06 01:13:45 17632 ----a-w- e:\windows\system32\wuaueng.dll.mui
2011-02-06 01:13:45 15072 ----a-w- e:\windows\system32\wuaucpl.cpl.mui
2011-02-06 01:13:45 15064 ----a-w- e:\windows\system32\wuapi.dll.mui
2011-02-06 01:13:45 -------- d-----w- e:\windows\system32\SoftwareDistribution
2011-02-06 01:13:24 -------- d-sh--w- e:\documents and settings\hgw\UserData
2011-02-06 00:17:29 -------- d-----w- e:\program files\Western Digital Corporation
2011-02-06 00:17:15 11520 ----a-w- e:\windows\system32\drivers\wdcsam.sys
2011-02-06 00:17:14 -------- d-----w- e:\program files\Western Digital
2011-02-06 00:16:40 20992 ----a-w- e:\windows\jestertb.dll
2011-02-06 00:06:41 -------- d-----w- e:\windows\system32\LogFiles
2011-02-06 00:05:37 126976 ----a-r- e:\windows\system32\e1000msg.dll
2011-02-06 00:05:36 24064 ----a-r- e:\windows\system32\IntelNic.dll
2011-02-06 00:05:36 121856 ----a-r- e:\windows\system32\drivers\e1000325.sys
2011-02-06 00:05:36 118784 ----a-r- e:\windows\system32\Prounstl.exe
2011-02-05 22:49:23 159744 ----a-r- e:\windows\system32\drivers\Fasttx2k.sys
2011-02-05 22:49:23 118784 ----a-r- e:\windows\system32\ptipbmf.dll
2011-02-05 22:39:43 102400 ----a-r- e:\windows\system32\drivers\ianswxp.sys
2011-02-05 22:34:19 -------- d-----w- e:\windows\system32\ReinstallBackups
2011-02-05 22:32:56 5824 ----a-w- e:\windows\system32\drivers\ASUSHWIO.SYS
2011-02-05 22:22:21 647872 ------w- e:\windows\system32\Mscomct2.ocx
2011-02-05 22:22:20 41984 ------w- e:\windows\Ctregrun.exe
2011-02-05 22:17:59 2944 ----a-w- e:\windows\system32\drivers\drmkaud.sys
2011-02-05 22:16:22 12288 ----a-w- e:\windows\system32\AHQCpURes.dll
2011-02-05 22:16:21 32768 ----a-w- e:\windows\system32\AudioHQU.cpl
2011-02-05 22:15:12 -------- d-----w- e:\windows\system32\Win9X
2011-02-05 22:09:02 15840 ----a-w- e:\windows\system32\drivers\pfmodnt.sys
2011-02-05 22:09:02 -------- d-----w- e:\program files\Creative
2011-02-05 21:59:06 -------- d-----w- e:\docume~1\hgw\locals~1\applic~1\ATI
2011-02-05 21:58:40 0 ----a-w- e:\windows\ativpsrm.bin
2011-02-05 21:54:54 -------- d-----w- e:\program files\common files\ATI Technologies
2011-02-05 21:50:51 729088 ----a-w- e:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-02-05 21:50:51 69715 ----a-w- e:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-02-05 21:50:51 5632 ----a-w- e:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-02-05 21:50:51 32768 ----a-w- e:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-02-05 21:50:51 311428 ----a-w- e:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-02-05 21:50:51 266240 ----a-w- e:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-02-05 21:50:51 192512 ----a-w- e:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-02-05 21:50:51 188548 ----a-w- e:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-02-05 21:50:42 593920 ------w- e:\windows\system32\ati2sgag.exe
2011-02-05 21:50:39 311296 ----a-r- e:\windows\system32\atiiiexx.dll
2011-02-05 21:50:30 442368 ----a-r- e:\windows\system32\ATIDEMGX.dll
2011-02-05 21:49:56 -------- d-----w- e:\program files\ATI Technologies
2011-02-05 21:48:00 77824 ----a-w- e:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-02-05 21:48:00 32768 ----a-w- e:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-02-05 21:48:00 225280 ----a-w- e:\program files\common files\installshield\iscript\iscript.dll
2011-02-05 21:48:00 176128 ----a-w- e:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-02-05 21:47:59 212992 ----a-w- e:\program files\common files\installshield\engine\6\intel 32\ILog.dll

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- e:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- e:\windows\system32\odbc32.dll

============= FINISH: 3:39:30.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:15 AM

Posted 11 February 2011 - 08:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:15 AM

Posted 16 February 2011 - 07:52 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users