Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Windows XP Recovery"


  • This topic is locked This topic is locked
28 replies to this topic

#1 sawo

sawo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 05 June 2011 - 08:13 PM

Hi Bleeping Computer,

I came back to my computer only to find my computer background screen black, with a window from "window xp recovery" running a scan saying that my hard drive has been compromised. There would be pop ups saying that some files in my hd are corrupted. I automatically knew it was a rogue malware, so I tried pressing ctrl+alt+del hoping to end the processes and go from there. I had no luck because the task manager window won't even show up. I then restarted my computer in safe mode but was still unable to run a regular virus scan (I have symantec antivirus). I found a tutorial on bleepingcomputer.com (using another computer) to uninstall windows xp recovery, and followed all the steps (running rkill,mbam, etc) with no luck. I even did the tutorial a second time under safe mode with no luck. The malware keeps reappearing after I restart the computer. For now, I have just shut down my computer until I come up with another solution on how to get rid of the problem.

Please help me!

BC AdBot (Login to Remove)

 


#2 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 13 June 2011 - 04:35 PM

Hello and :welcome:

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
  • Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
  • Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!


We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance.
---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

After running through all the steps, you shall have a proper set of DDS and GMER logs which you can post here for me to review.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#3 sawo

sawo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 16 June 2011 - 09:44 PM

It seems that the virus hid all my programs from sight so I wasn't able to go online from the infected computer. I tried restarting the computer in safe mode but they were still hidden. To create a dds and gmer log, I downloaded and saved the files onto a flash drive from a clean computer and ran it from the infected computer. From the steps in the preparation guide, I didn't enable my firewall but I was able to disable the cd emulation software DeFogger. Not sure if this was acceptable, but it was the only way I can think of that allowed me to run the scans. I ran all the scans in regular mode, not safe mode. Throughout the scanning, popups would appear saying "Windows-delayed write failed" and "hard drive failure" along with the "windows xp recovery" virus window which I wasn't able to get rid of. Below are the dds logs (attach.txt log is attached):

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Owner at 21:22:32 on 2011-06-16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.237 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\All Users\Application Data\dgMwVfDydK.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\attrib.exe
C:\Documents and Settings\All Users\Application Data\15523620.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://us4.hpwis.com/
uDefault_Search_URL = hxxp://srch-us4.hpwis.com/
mSearch Bar = hxxp://srch-us4.hpwis.com/
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [dgMwVfDydK] c:\documents and settings\all users\application data\dgMwVfDydK.exe
mRun: [S3TRAY2] S3tray2.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uPolicies-explorer: NoDesktop = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} - hxxp://www.cityyear.org/CFIDE/classes/CFJava.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128987822639
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134332778624
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.8366898148
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.winkflash.com/photo/loaders/ImageUploader3.cab
DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} - hxxp://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://sav01.downstate.edu/sav10%2D1drm%2Dwl/webinst.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{01D1C6CD-6D44-46B6-BA89-10155A459FBE} : DhcpNameServer = 15.60.103.1 15.60.103.2
TCP: Interfaces\{1A40C03B-55BD-49CE-AA35-E1361F1D2577} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{55AE45AB-9B99-42A8-90F9-C3075FF7D162} : DhcpNameServer = 192.168.0.1
Notify: ljJyYrop - ljJyYrop.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
LSA: Notification Packages = scecli c:\windows\system32\maligoha.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\d4xj1vb6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Tab Saver!: {7A074BE0-2326-436d-B473-029FAEBEB5C6} - %profile%\extensions\{7A074BE0-2326-436d-B473-029FAEBEB5C6}
FF - Ext: bug447571.xpi: bug447571@alice0775 - %profile%\extensions\bug447571@alice0775
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2010-2-5 742144]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-24 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110524.002\naveng.sys [2011-5-24 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110524.002\navex15.sys [2011-5-24 1542392]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-06-05 16:52:50 336384 ----a-w- c:\documents and settings\all users\application data\15523620.exe
2011-06-05 16:34:14 4224 ----a-w- c:\windows\system32\beep.sys
2011-06-05 16:32:34 421888 ----a-w- c:\documents and settings\all users\application data\dgMwVfDydK.exe
.
==================== Find3M ====================
.
.
============= FINISH: 21:27:03.21 ===============






In the meantime, I am running the gmer log. I will attach it to the thread as soon as it is finished. I really appreciate your help and really hope this virus will be gone after our session! =D

Attached File  attach.txt   10.15KB   3 downloads

Edited by sawo, 16 June 2011 - 09:45 PM.


#4 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 16 June 2011 - 10:00 PM

Before we can attack the malware completely I will need to take a peek at that GMER log, but to make things a little easier, you can go ahead and do the following after you finish running the GMER scan.


Please download the most current version of Unhide from here.
Save it to desktop and run it. In your reply let me know if that brings back you icons, files and start menu items.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#5 sawo

sawo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 17 June 2011 - 11:03 AM

Hi patndoris,

I ran the gmer program over night and I've attached it to the post. The only difference between the log that was generated and the one from the example in the preparation guide "c:\docume~1\bleeping..." (the one in highlighted in red) was not listed.

I was able to make visible my start menu using your link. The screen is still black and my desktop icons are not showing.

Attached Files

  • Attached File  ark.txt   8.84KB   1 downloads


#6 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 17 June 2011 - 02:40 PM

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#7 sawo

sawo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 17 June 2011 - 04:02 PM

I disabled symantec anti-virus and followed the instructions to save/run combofix on the desktop. I agreed to the license and it ran a scan but soon after, my computer suddenly restarted itself. I didn't get any messages like the ones you stated above. Once the computer restarted, the windows xp recovery malware window and hard drive failure messages appeared again. Also the programs under start menu were hidden. Should I running these scans under safe mode instead?

#8 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 17 June 2011 - 04:21 PM

Yes, please try running Combofix in Safe Mode.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#9 sawo

sawo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 17 June 2011 - 05:35 PM

Below is the combofix log that was generated:

ComboFix 11-06-17.04 - Owner 06/17/2011 17:51:58.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.712 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.COMPUTER\WINDOWS
c:\documents and settings\All Users\Application Data\15523620.exe
c:\documents and settings\All Users\Application Data\dgMwVfDydK.exe
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Guest\WINDOWS
c:\documents and settings\Owner\Start Menu\Programs\Windows XP Recovery
c:\documents and settings\Owner\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
c:\documents and settings\Owner\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
c:\documents and settings\Owner\WINDOWS
c:\windows\Downloaded Program Files\ocget.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\geyekrskbgomyr.dat
c:\windows\system32\geyekrwfyybpyb.dat
c:\windows\system32\geyekryuhcwpwt.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-05-17 to 2011-06-17 )))))))))))))))))))))))))))))))
.
.
2011-06-05 16:34 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\beep.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2001-10-04 69632]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-02-05 454400]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-07-28 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoPlay.exe [2001-9-17 36864]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.COMPUTER^Start Menu^Programs^Startup^AutoPlay.exe]
path=c:\documents and settings\Administrator.COMPUTER\Start Menu\Programs\Startup\AutoPlay.exe
backup=c:\windows\pss\AutoPlay.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-07-28 19:19 323584 ----a-w- c:\windows\SYSTEM32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wfxsvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/24/2011 11:57 PM 105592]
S3 icsak;icsak;\??\c:\program files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://srch-us4.hpwis.com/
mSearch Bar = hxxp://srch-us4.hpwis.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1A40C03B-55BD-49CE-AA35-E1361F1D2577}: DhcpNameServer = 192.168.1.1 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://sav01.downstate.edu/sav10%2D1drm%2Dwl/webinst.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d4xj1vb6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Tab Saver!: {7A074BE0-2326-436d-B473-029FAEBEB5C6} - %profile%\extensions\{7A074BE0-2326-436d-B473-029FAEBEB5C6}
FF - Ext: bug447571.xpi: bug447571@alice0775 - %profile%\extensions\bug447571@alice0775
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-dgMwVfDydK - c:\documents and settings\All Users\Application Data\dgMwVfDydK.exe
Notify-ljJyYrop - ljJyYrop.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-17 18:09
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3660946461-1434109735-2322020850-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3660946461-1434109735-2322020850-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-3660946461-1434109735-2322020850-1003)
@Allowed: (Read) (S-1-5-21-3660946461-1434109735-2322020850-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):6a,49,b1,b9,20,0e,18,24,54,8b,e2,9c,28,8e,ad,97,4d,3f,70,0f,26,
64,9b,4d,97,4b,23,ce,61,12,71,0a,38,96,34,84,0b,c4,65,cf,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eb6a0e10-95db-4cab-b310-e96792df6291}]
@Denied: (Full) (Everyone)
"Model"=dword:00000149
"Therad"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\sxs.dll
.
- - - - - - - > 'explorer.exe'(3876)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-17 18:21:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-17 22:21
.
Pre-Run: 40,484,659,200 bytes free
Post-Run: 40,610,164,736 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 7D600BF6F41B84D585DFBF11953B199B


I realized after running combofix that my antivirus was left on and it is locked by the adminstrator even though the administrator is myself now (my school mandated that I downloaded the program). I'm not sure if this affected the scanning process. I am not getting any popups and my background has reverted back to the default blue screen. Everything seems to be running ok in the meantime...

#10 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 17 June 2011 - 05:49 PM

We need to get additional information about a file.

Please go to:
http://www.virustotal.com/
Click on Choose File, and then upload the following file for analysis:

c:\windows\system32\beep.sys

Then click Send File and allow the file to be scanned.

Please ensure the scan is complete and the results saved.
If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Please copy and paste the results here for me to see.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#11 sawo

sawo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 17 June 2011 - 06:27 PM

2 VT Community user(s) with a total of 4745 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is malware.
File name: beep.sys
Submission date: 2011-06-17 23:17:19 (UTC)
Current status: queued queued analysing finished


Result: 1/ 41 (2.4%)
VT Community

goodware
Safety score: 100.0%

Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.06.18.00 2011.06.17 -
AntiVir 7.11.10.12 2011.06.17 -
Antiy-AVL 2.0.3.7 2011.06.17 -
Avast 4.8.1351.0 2011.06.18 -
Avast5 5.0.677.0 2011.06.18 -
AVG 10.0.0.1190 2011.06.17 -
BitDefender 7.2 2011.06.18 -
CAT-QuickHeal 11.00 2011.06.17 -
ClamAV 0.97.0.0 2011.06.17 -
Commtouch 5.3.2.6 2011.06.18 -
Comodo 9103 2011.06.17 -
DrWeb 5.0.2.03300 2011.06.18 -
eSafe 7.0.17.0 2011.06.15 Win32.Banker
eTrust-Vet 36.1.8393 2011.06.17 -
F-Prot 4.6.2.117 2011.06.18 -
Fortinet 4.2.257.0 2011.06.17 -
GData 22 2011.06.17 -
Ikarus T3.1.1.104.0 2011.06.17 -
Jiangmin 13.0.900 2011.06.17 -
K7AntiVirus 9.106.4822 2011.06.17 -
Kaspersky 9.0.0.837 2011.06.17 -
McAfee 5.400.0.1158 2011.06.18 -
McAfee-GW-Edition 2010.1D 2011.06.17 -
Microsoft 1.6903 2011.06.13 -
NOD32 6218 2011.06.18 -
Norman 6.07.10 2011.06.17 -
nProtect 2011-06-17.01 2011.06.17 -
Panda 10.0.3.5 2011.06.17 -
PCTools 7.0.3.5 2011.06.17 -
Prevx 3.0 2011.06.18 -
Rising 23.62.03.03 2011.06.17 -
Sophos 4.66.0 2011.06.18 -
SUPERAntiSpyware 4.40.0.1006 2011.06.17 -
Symantec 20111.1.0.186 2011.06.17 -
TheHacker 6.7.0.1.230 2011.06.14 -
TrendMicro 9.200.0.1012 2011.06.17 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.18 -
VBA32 3.12.16.2 2011.06.17 -
VIPRE 9612 2011.06.18 -
ViRobot 2011.6.17.4519 2011.06.17 -
VirusBuster 14.0.84.1 2011.06.17 -
Additional informationShow all
MD5 : da1f27d85e0d1525f6621372e7b685e9
SHA1 : e3d2dc5eb273fa701de8af13b60d6baac7629260
SHA256: 5a81a46a3bdd19dafc6c87d277267a5d44f3a1b5302f2cc1111d84b7bad5610d
ssdeep: 48:qvsINlblgYeU/DtYrmVimGxIBqOopSDKGV7Co+sjIZWQ7q2ue5WwGD+:ilbd/DKrmLGWBqhe
v7X+MEWKLu+Ww8
File size : 4224 bytes
First seen: 2008-04-17 07:23:36
Last seen : 2011-06-17 23:17:19
TrID:
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: BEEP Driver
original name: beep.sys
internal name: beep.sys
file version.: 5.1.2600.0 (XPClient.010817-1148)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x66C
timedatestamp....: 0x3B7D82E5 (Fri Aug 17 20:47:33 2001)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x300, 0x424, 0x480, 5.77, 64f775a399d212649b5b58a280791c2d
.rdata, 0x780, 0xAD, 0x100, 2.62, 0ace5f365131534c66de4137833221ad
INIT, 0x880, 0x284, 0x300, 4.44, 13a9d0bea8490140305ffa9291acfd99
.rsrc, 0xB80, 0x3C8, 0x400, 3.22, 9b654fc1759147ff04b147754f347be4
.reloc, 0xF80, 0x9A, 0x100, 2.80, 5c4742feb834ca0995d1e806fe06cc57

[[ 2 import(s) ]]
ntoskrnl.exe: MmLockPagableDataSection, KeCancelTimer, MmUnlockPagableImageSection, IoStartNextPacket, KeSetTimer, _allmul, IoStartPacket, KeInitializeEvent, KeInitializeTimer, KeInitializeDpc, IoCreateDevice, RtlInitUnicodeString, IoAcquireCancelSpinLock, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, IoReleaseCancelSpinLock, IoDeleteDevice, IofCompleteRequest
HAL.dll: ExReleaseFastMutex, KfRaiseIrql, KfLowerIrql, HalMakeBeep, ExAcquireFastMutex

#12 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 17 June 2011 - 06:47 PM

Glad to hear things are improving. Let's do a couple other scans to double check. Different tools look in different places for malware and no one tool can find everything.


I see you have Malwarebytes already on your machine. Please run it by double clicking the icon on the desktop.
  • Click on the tab labeled Update and then click on the button Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.


This scan make take awhile depending on how many items are on the computer. You may want to run it at a time you won't be needing the machine. It should be run from IE and I'd recommend not doing anything else while it's running.


http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Uncheck Remove found threats.
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#13 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 20 June 2011 - 08:40 AM

Are you having any difficulty with the last set of instructions?

Reminder: Topics with no reply in 3 days will be closed.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#14 sawo

sawo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 20 June 2011 - 10:31 AM

Hi,

Sorry for the delay. I was able to run MAM and you'll find the log generated below. The program was able to remove the virus' but asked that I reboot anyway, which I did. I wasn't able to download ESET and got the message "can not get update. is proxy configured?" How do I make changes to the proxy to make the scan work?


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6897

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/20/2011 11:04:37 AM
mbam-log-2011-06-20 (11-04-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 264410
Time elapsed: 3 hour(s), 10 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\all users\application data\15523620.exe.vir (Trojan.Agent.GD) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\all users\application data\dgmwvfdydk.exe.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.

#15 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:06:22 PM

Posted 20 June 2011 - 04:10 PM

You should not need to change proxy to run ESET. Let's try a different scan. Please be sure to use Internet Explorer when doing online scans.

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, it should start to scan automatically
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to your desktop.
  • Post the report in your next reply.

Note: Turn off the real time scanner of any existing antivirus program while performing the online scan

~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users