Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Second Computer Infected With Windows Recovery Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 he's dead jim

he's dead jim

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 25 May 2011 - 06:29 PM

hello again. this thread is for computer number 2. it was not as heavily damaged as the previous one. here is what i have done so far and also what state the computer is currently in:

1. all antivirus and anti malware software would not work except combofix in safe mode, so i ran that.

2. the computer have all the icons in both the start menu and the desktop, but the associations do not work. example - you double click on an icon and the menu comes up to ask what program you want to open.

3. the post below this will have my combofix log.

thanks

ComboFix 11-05-21.03 - Administrator 05/22/2011 21:55:25.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1683 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jesse\Local Settings\Application Data\rdq.exe
c:\documents and settings\Jesse\WINDOWS
c:\program files\driver
c:\program files\iWon
c:\program files\iWon\bar\1.bin\chrome\jfffxtbr.jar
c:\program files\iWon\bar\1.bin\T8FFTBPR.DLL
c:\program files\iWon\bar\1.bin\T8PATCH.DLL
c:\program files\iWon\bar\2.bin\CHROME.MANIFEST
c:\program files\iWon\bar\2.bin\chrome\jfffxtbr.jar
c:\program files\iWon\bar\2.bin\INSTALL.RDF
c:\program files\iWon\bar\2.bin\jfbar.dll
c:\program files\iWon\bar\2.bin\jfbarsvc.exe
c:\program files\iWon\bar\2.bin\jfdatact.dll
c:\program files\iWon\bar\2.bin\jfdyn.dll
c:\program files\iWon\bar\2.bin\jffeedmg.dll
c:\program files\iWon\bar\2.bin\jfhighin.exe
c:\program files\iWon\bar\2.bin\jfhtml.dll
c:\program files\iWon\bar\2.bin\jfhtmlmu.dll
c:\program files\iWon\bar\2.bin\jfhttpct.dll
c:\program files\iWon\bar\2.bin\jfidle.dll
c:\program files\iWon\bar\2.bin\jfimpipe.exe
c:\program files\iWon\bar\2.bin\jfmedint.exe
c:\program files\iWon\bar\2.bin\jfmlbtn.dll
c:\program files\iWon\bar\2.bin\jfmsg.dll
c:\program files\iWon\bar\2.bin\jfPlugin.dll
c:\program files\iWon\bar\2.bin\jfradio.dll
c:\program files\iWon\bar\2.bin\jfregfft.dll
c:\program files\iWon\bar\2.bin\jfscript.dll
c:\program files\iWon\bar\2.bin\jfskin.dll
c:\program files\iWon\bar\2.bin\jfskplay.exe
c:\program files\iWon\bar\2.bin\jftpinst.dll
c:\program files\iWon\bar\2.bin\jfuabtn.dll
c:\program files\iWon\bar\2.bin\LOGO.BMP
c:\program files\iWon\bar\2.bin\NPjfStub.dll
c:\program files\iWon\bar\Cache\09CFBC26.bmp
c:\program files\iWon\bar\Cache\09CFBC74.bmp
c:\program files\iWon\bar\Cache\09CFBCA3.bmp
c:\program files\iWon\bar\Cache\09CFBCD2.bmp
c:\program files\iWon\bar\Cache\0EF20A8D.bmp
c:\program files\iWon\bar\Cache\0F0D81BD
c:\program files\iWon\bar\Cache\0F290C85
c:\program files\iWon\bar\Cache\0F44974D
c:\program files\iWon\bar\Cache\0F44AAE5.bmp
c:\program files\iWon\bar\Cache\103C2C97.bmp
c:\program files\iWon\bar\Cache\103C3282.bmp
c:\program files\iWon\bar\Cache\103C33AB.bin
c:\program files\iWon\bar\Cache\103C3409.bmp
c:\program files\iWon\bar\Cache\103C3476.bmp
c:\program files\iWon\bar\Cache\103C34E4.bmp
c:\program files\iWon\bar\Cache\11870D4D.bmp
c:\program files\iWon\bar\Cache\187EDB1C.bmp
c:\program files\iWon\bar\Cache\187EE7AF.bmp
c:\program files\iWon\bar\Cache\187EEB0A.bmp
c:\program files\iWon\bar\Cache\187EF348.bmp
c:\program files\iWon\bar\Cache\187EF5D8.jhtml
c:\program files\iWon\bar\Cache\187F2B4F.bmp
c:\program files\iWon\bar\Cache\1BE3C6D6
c:\program files\iWon\bar\Cache\1BE3C7C0
c:\program files\iWon\bar\Cache\files.ini
c:\program files\iWon\bar\History\search3
c:\program files\iWon\bar\Message\COMMON.T8S
c:\program files\iWon\bar\Settings\prevcfg2.htm
c:\program files\iWon\bar\Settings\s_pid.dat
c:\program files\iWon\bar\Settings\s_w1.dat
c:\program files\iWon\bar\Settings\s_w1.dat.bak
c:\program files\iWon\bar\Settings\s_w2.dat
c:\program files\iWon\bar\Settings\s_w2.dat.bak
c:\program files\iWon\bar\Settings\setting3.htm
c:\program files\iWon\bar\Settings\setting3.htm.bak
c:\program files\iWon\Shared\Cache\PopupProperties100064968.html
C:\WGASetup.exe
.
----- BITS: Possible infected sites -----
.
hxxp://apnmedia.ask.com
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 01:49 . 2011-05-23 01:49 -------- d-----w- c:\documents and settings\Administrator
2011-05-19 20:47 . 2011-05-19 20:47 -------- d-----w- c:\documents and settings\Jesse\Application Data\ooVoo Details
2011-05-19 20:47 . 2011-05-19 20:47 -------- d-----w- c:\program files\ooVoo
2011-05-17 21:11 . 2011-05-17 21:11 -------- d-----w- c:\program files\GameSpy Arcade
2011-05-17 21:04 . 2011-05-17 21:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-07 19:52 . 2011-05-07 19:52 -------- d-----w- c:\documents and settings\Jesse\Application Data\Apple Computer
2011-05-07 19:52 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-07 19:52 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-07 19:50 . 2011-05-07 19:50 -------- d-----w- c:\documents and settings\Jesse\Local Settings\Application Data\Apple
2011-05-07 19:50 . 2011-05-07 19:50 -------- d-----w- c:\program files\Apple Software Update
2011-05-07 19:50 . 2011-02-18 20:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-07 19:50 . 2011-02-18 20:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-07 19:50 . 2011-05-07 19:50 -------- d-----w- c:\program files\Bonjour
2011-05-07 19:49 . 2011-05-07 19:51 -------- d-----w- c:\program files\Common Files\Apple
2011-05-07 19:49 . 2011-05-07 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-05-06 01:47 . 2011-05-06 01:47 -------- d-----w- c:\program files\Firefly Studios
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-13 14:36 . 2009-04-15 15:00 47616 ----a-w- c:\program files\cports.exe
2008-05-13 05:10 . 2008-05-13 05:10 401720 ----a-w- c:\program files\HiJackThis.exe
2006-07-12 16:59 . 2008-05-13 18:43 3278400 ----a-w- c:\program files\procexp.exe
2006-03-20 20:37 . 2008-05-13 18:44 5689344 ----a-w- c:\program files\Free - Media Player Classic Version 6.4.9.0.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57574:TCP"= 57574:TCP:Pando Media Booster
"57574:UDP"= 57574:UDP:Pando Media Booster
"57089:TCP"= 57089:TCP:Pando Media Booster
"57089:UDP"= 57089:UDP:Pando Media Booster
.
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [5/13/2008 12:28 AM 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [5/13/2008 12:28 AM 52736]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 iWonService;iWon Toolbar Service;c:\progra~1\iWon\bar\2.bin\jfbarsvc.exe --> c:\progra~1\iWon\bar\2.bin\jfbarsvc.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S4 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/28/2009 6:45 AM 719392]
S4 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [5/13/2008 3:50 PM 135168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ooVoo - C\ooVoo.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 22:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-05-22 22:07:54
ComboFix-quarantined-files.txt 2011-05-23 02:07
.
Pre-Run: 20,162,125,824 bytes free
Post-Run: 20,348,833,792 bytes free
.
- - End Of File - - 5F908C0A1DD848FFE16F2A578643BF4B

BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:36 AM

Posted 04 June 2011 - 11:35 AM

he's dead jim's



Please download the linkfile_fix (attached file) on your desktop. Double click it and an information box will pop up asking if you want to merge the information in the file into the registry, click yes. Restart your pc. After that, please proceed the following:



Step1

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


Step2

Please download Malwarebytes' Anti-Malware from Here or Here

  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Step3

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Under the Standard Registry box change it to All
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:


    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    volsnap.sys
    /md5stop
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    C:\program files\common files\data\* /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    C:\Documents and Settings\mhumphrey\Desktop\*.* /s

    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command /s
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /s
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /s
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download /s

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:

1.TDSSKiller log
2.MBAM log
3.OTListIt.txt and Extra.txt

Let me know if you have any remaining issues on your pc.

Attached Files


Edited by sundavis, 04 June 2011 - 11:37 AM.


#3 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:36 AM

Posted 10 June 2011 - 05:02 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users