Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Restarts with Internet Connect


  • This topic is locked This topic is locked
43 replies to this topic

#1 Jatin Rạjpura

Jatin Rạjpura

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 14 June 2011 - 08:54 AM

Dear All,

Below is my HiJieck Log, please help me to solve this Restarting Problem which is bcz of Trojen or Virus.

I have tried Quick Heal Live CD , Command line scanner and using Trend Micro Anti Virus still can not solve this problem. It can not detect.

Also I have tried EScan Live CD , Feb updated. no effect still.

Also used , House Cell , but still in the meanwhile processing, restart Computer.

Logfile of HijackThis v1.99.1
Scan saved at 9:48:03 AM, on 6/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zorpia Notifier\Zorpia Notifier.exe
C:\Documents and Settings\Jatin_soni\Application Data\winlogon\winlogon.exe
C:\Documents and Settings\Jatin_soni\Application Data\932681587.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\All Users\Application Data\QuestScan\questscan137.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\QuestScan\questscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Tencent\QQIntl\Bin\QQ.exe
C:\Program Files\Tencent\QQIntl\Bin\TXPlatform.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go (dot) microsoft (dot) come/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go (dot) microsoft (dot) come/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go (dot) microsoft (dot) come/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go (dot) microsoft (dot) come/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www (dot)rcom (dot) co (dot)in/Communications/rcom/RNetconnect/9374475247.html
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ShopperReports - {100EB1FD-D03E-47fd-81F3-EE91287F9465} - (no file)
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Documents and Settings\Jatin_soni\Local Settings\Application Data\ConduitEngine\ldrConduitEngine.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL ""
O4 - HKLM\..\Run: [OE] "C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jatin_soni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [winlogon.exe] C:\Documents and Settings\Jatin_soni\Application Data\winlogon\winlogon.exe
O4 - HKCU\..\Run: [TProtect] C:\Documents and Settings\Jatin_soni\Application Data\932681587.exe
O4 - Startup: Zorpia Notifier.lnk = C:\Program Files\Zorpia Notifier\Zorpia Notifier.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: QQ - C:\Program Files\Tencent\QQIntl\Bin\AddEmotion.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShopperReports3\bin\3.0.517.0\ShopperReports.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShopperReports3\bin\3.0.517.0\ShopperReports.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O11 - Options group: [INTERNATIONAL] International
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BA8878B-2BE5-4D7C-BE0A-B8D4221EC9CE}: NameServer = 218.248.255.212 218.248.241.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Trend Micro Solution Platform (Amsp) - Unknown owner - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Microsoft SharePoint Workspace Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice (file missing)
O23 - Service: QuestScan Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\QuestScan\questscan137.exe" "C:\Program Files\QuestScan\questscan.dll" mozanejej wuwoyicom (file missing)
O23 - Service: TeamViewer 5 (TeamViewer5) - Unknown owner - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe" -service (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 (file missing)
O23 - Service: UDisk Monitor - Unknown owner - C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe
O23 - Service: VMware Agent Service (ufad-ws60) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

932681587.exe
This is Virus, but If I open Task Manager and End Task it, so my computer restart at a time .
so now how to solve it ?
I also tried by msconfig -> stop start up this process .
But when Next time restart PC, it comes with different name.




Thanks & Regards
Jatin

Edited by Orange Blossom, 10 July 2011 - 11:34 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:27 AM

Posted 22 June 2011 - 07:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 22 June 2011 - 10:21 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:



Dear All,

Good News .. I think my Problem is solved after using ConboFix (hehe.. I was not able to use internet in safe mode so can not download Windows Recovery Consol ..)

please check below is Log file generated and let me know if anything else I have to do.

ComboFix 11-06-17.04 - Jatin_soni 06/19/2011 18:17:54.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.393 [GMT 5.5:30]
Running from: c:\documents and settings\Jatin_soni\Desktop\ComboFix.exe
FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

PLEASE FIND ATTACHED LOG FILE FOR COMBOFIX AND LET ME KNOW .


Waiting for the reply, What I can do more now in my System.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:27 AM

Posted 23 June 2011 - 01:26 PM

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


The system could do with a clean up through.

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NB: If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.



Then

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon. If you don't see it, go to Other options in the left panel or change to Classic View
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • Applications and applets
    • Trace and log files
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.


And run ESET


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#5 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 24 June 2011 - 09:08 PM

Dear Helper,

I have done all the steps as you said .

First time when Scan was running it was found more than 80 Win32/.... .

But after finished it as u said , Next time while I run it, There is no found any virus .

Thanks so much for your help.
---------------------------------------

But stilll I think there is Virus or Rootkit on my pc by default, I have always Pop up for Microsoft Security Bulletin MS03-026 Block.

I tried to install it's patch so said me that I have latest Windows XP which has this already, so can not install.


I have found this solution which is below, Can I try for it ?

Also Known As:
W32/Blaster-B [Sophos], W32/Lovsan.worm.b [McAfee], Win32.Poza.B [CA], WORM_MSBLAST.C [Trend], Worm.Win32.Lovesan.a [Kaspersk
Type:
Worm
Systems Affected:
Windows 2000, Windows XP


Removal using the W32.Blaster.C.Worm Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Blaster.C.Worm. Try this tool first, as it is the easiest way to remove this threat.


Manual Removal
As an alternative to using the removal tool, you can manually remove this threat. The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Restore Internet connectivity.
2. End the worm process.
3. Obtain the latest virus definitions.
4. Scan for and delete the infected files.
5. Reverse the changes made to the registry.
6. Obtain the Microsoft HotFix to correct the DCOM RPC vulnerability



For specific details, refer to the following instructions:

1. Restoring Internet connectivity
In many cases, on both Windows 2000 and XP, changing the settings for the Remote Procedure Call (RPC) service may allow you to connect to the Internet without the computer shutting down. To restore Internet connectivity to your PC, follow these steps:

1. Click Start > Run. The Run dialog box appears.
2. Type:

SERVICES.MSC /S

in the open line, and then click OK. The Services window opens.

3. In the left pane, double-click Services and Applications, and then select Services. A list of services appears.
4. In the right pane, locate the Remote Procedure Call (RPC) service.

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.
5. Right-click the Remote Procedure Call (RPC) service, and then click Properties.
6. Click the Recovery tab.
7. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
8. Click Apply, and then OK.

CAUTION: Make sure that you change these settings back once you have removed the worm.

2. Ending the Worm process

1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for teekids.exe.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.

3. Obtaining the latest virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

For newer computer users
Running LiveUpdate, which is the easiest way to obtain virus definitions: Virus definitions for W32.Blaster.worm have been made available via the LiveUpdate server since August 11th, 2003. To obtain the latest virus definitions, click the LiveUpdate button from within the main user interface of your Symantec product. When running LiveUpdate, ensure that only "Norton AntiVirus Virus Definitions" are checked. Product updates can be obtained at a later time.

For system administrators and advanced users
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

4. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Blaster.Worm, click Delete.


5. Reversing the changes made to the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value:

"Microsoft Inet Xp.."="teekids.exe"

5. Exit the Registry Editor.


6. Obtaining the Microsoft HotFix to correct the DCOM RPC vulnerability
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135 to infect your PC. The W32.Blaster.Worm also attempts to perform a DoS on the Microsoft Windows Update Web server (windowsupdate.com) using your PC. To fix this, it is important to obtain the Microsoft Hotfix at: Microsoft Security Bulletin MS03-026.



Writeup By: Douglas Knowles

Edited by Jatin Rạjpura, 25 June 2011 - 03:06 AM.


#6 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 25 June 2011 - 03:09 AM

This tool is designed to remove the infections of:

W32.Blaster.Worm
W32.Blaster.B.Worm
W32.Blaster.C.Worm
W32.Blaster.D.Worm
W32.Blaster.E.Worm
W32.Blaster.F.Worm

Important:
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before continuing with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.

Additional information, and an alternate site from which to download the Microsoft patch is available in the Microsoft article "What You Should Know About the Blaster Worm and Its Variants."

Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. It has been reported that, for users of Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed.


Important:

* If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection.

For instructions on how to do this, refer to your Windows documentation, or the document: How to configure shared Windows folders for maximum network protection.

* If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.
* This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.


How to download and run the tool

Important: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.

Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, with the Exclude switch. For more information, read the Microsoft knowledge base article: XADM: Do Not Back Up or Scan Exchange 2000 Drive M (Article 298924).

Follow these steps to download and run the tool:

1. Download the FixBlast.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixBlast.exe.
2. Save the file to a convenient location, such as your Windows desktop.
3. Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.

Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.

4. Close all the running programs.
5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
6. If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

How to disable or enable Windows Me System Restore

How to turn off or turn on Windows XP System Restore

7. Locate the file that you just downloaded.
8. Double-click the FixBlast.exe file to start the removal tool.
9. Click Start to begin the process, and then allow the tool to run.

NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.

10. Restart the computer.
11. Run the removal tool again to ensure that the system is clean.
12. If you are running Windows Me/XP, then reenable System Restore.
13. If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.
14. Run LiveUpdate to make sure that you are using the most current virus definitions.


When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:

* Total number of the scanned files
* Number of deleted files
* Number of repaired files
* Number of terminated viral processes
* Number of fixed registry entries


What the tool does
The Removal Tool does the following:

* Terminates the associated processes
* Deletes the associated files
* Deletes the registry values added by the threat


Switches
The following switches are designed for use by network administrators:
/HELP, /H, /?
Displays the help message.
/NOFIXREG
Disables the registry repair (We do not recommend using this switch).
/SILENT, /S
Enables the silent mode.
/LOG=[PATH NAME]
Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, FixBlast.log, in the same folder from which the removal tool was executed.
/MAPPED
Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)
/START
Forces the tool to immediately start scanning.
/EXCLUDE=[PATH]
Excludes the specified [PATH] from scanning. (We do not recommend using this switch. See the following Note.)
/NOCANCEL
Disables the cancel feature of the removal tool.
/NOFILESCAN
Prevents the scanning of the file system.
/NOVULNCHECK
Disables checking for unpatched files.


Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:

* The scanning of mapped drives scans only the mapped folders. This may not include all the folders on the remote computer, which can lead to missed detections.
* If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer uses this file.

Therefore, you should run the tool on every computer.

The /EXCLUDE switch will only work with one path, not multiple. An alternative is the /NOFILESCAN switch followed by a manual scan with AntiVirus. This will let the tool alter the registry. Then, scan the computer with AntiVirus with current virus definitions. With these steps, you should be able to clean the file system.

The following is an example command line that can be used to exclude a single drive:

"C:\Documents and Settings\user1\Desktop\FixBlast.exe" /EXCLUDE=M:\ /LOG=c:\FixBlast.txt

Alternatively, the command line below will skip scanning the file system, but will repair the registry modifications. Then, run a regular scan of the system with proper exclusions:

"C:\Documents and Settings\user1\Desktop\FixBlast.exe" /NOFILESCAN /LOG=c:\FixBlast.txt

Note: You can give the log file any name and save it to any location.

Digital signature
For security purposes, the removal tool is digitally signed. Symantec recommends that you use only copies of the removal tool that have been directly downloaded from the Symantec Security Response Web site.

If you are not sure, or are a network administrator and need to authenticate files before deployment, you should check the authenticity of the digital signature.

Follow these steps:

1. Go to http://www.wmsoftware.com/free.htm.
2. Download and save the Chktrust.exe file to the same folder in which you saved the removal tool.

Note: Most of the following steps are done at a command prompt. If you downloaded the removal tool to the Windows desktop, it will be easier if you first move the tool to the root of the C drive. Then save the Chktrust.exe file to the root of C as well.

(Step 3 to assume that both the removal tool and Chktrust.exe are in the root of the C drive.)

3. Click Start > Run.
4. Type one of the following:

Windows 95/98/Me:
command

Windows NT/2000/XP:
cmd

5. Click OK.
6. In the command window, type the following, pressing Enter after typing each line:

cd\
cd downloads
chktrust -i FixBlast.exe

7. You should see the following message:

Do you want to install and run "W32.Blaster.Worm Removal Tool" signed on 8/14/2003 08:52 AM and distributed by Symantec Corporation?

Notes:
The date and time in the digital signature above are based on Pacific time. They will be adjusted your computer's time zone and Regional Options settings.

If you are using Daylight Saving time, the displayed time will be exactly one hour earlier.

If this dialog box does not appear, there are two possible reasons:

The tool is not from Symantec: Unless you are sure that the tool is legitimate and that you downloaded it from the legitimate Symantec Web site, you should not run it.

The tool is from Symantec and is legitimate: However, your operating system was previously instructed to always trust content from Symantec. For information on this and on how to view the confirmation dialog again, read the document: How to restore the Publisher Authenticity confirmation dialog box.

8. Click Yes or Run to close the dialog box.
9. Type exit, and then press Enter. (This will close the MS-DOS session.)

IS this Helpful ?

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:27 AM

Posted 25 June 2011 - 03:48 AM

That is for the Blaster Worm virus and there's no evidence of that here.

So far you have posted this:

I think my Problem is solved after using ConboFix


Then this:

But stilll I think there is Virus or Rootkit on my pc by default


How can you be thinking two opposite things at the same time?


Please run aswMBR to check for rootkits

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#8 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 25 June 2011 - 11:34 AM

Dear Helper,

It is asking me to Download Latest definition of Avast Anti Virus , but I have installed Trend Micro Titenium Security, so I need to install or not ?

If not so U can see below so small is my Scanned Log.

It scanned only one Folder.Also U can see Attached Alert message that I always get after near to 30 mins ..

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-25 22:02:01
-----------------------------
22:02:01.296 OS Version: Windows 5.1.2600 Service Pack 3
22:02:01.296 Number of processors: 2 586 0xF0D
22:02:01.296 ComputerName: JATIN UserName:
22:02:01.750 Initialize success
22:02:05.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:02:05.703 Disk 0 Vendor: ST3160215AS 3.AAD Size: 152627MB BusType: 3
22:02:07.734 Disk 0 MBR read successfully
22:02:07.734 Disk 0 MBR scan
22:02:07.734 Disk 0 unknown MBR code
22:02:09.734 Disk 0 scanning sectors +312560640
22:02:09.765 Disk 0 scanning C:\WINDOWS\system32\drivers
22:02:14.484 Service scanning
22:02:15.718 Disk 0 trace - called modules:
22:02:15.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:02:15.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86591ab8]
22:02:15.734 3 CLASSPNP.SYS[f762efd7] -> nt!IofCallDriver -> \Device\00000069[0x8654d9e8]
22:02:15.734 5 ACPI.sys[f74c5620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86566940]
22:02:15.734 Scan finished successfully
22:02:20.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jatin_soni\Desktop\MBR.dat"
22:02:20.656 The log file has been saved successfully to "C:\Documents and Settings\Jatin_soni\Desktop\aswMBR.txt"




That is for the Blaster Worm virus and there's no evidence of that here.

So far you have posted this:

I think my Problem is solved after using ConboFix


(Problem about restart is solved ... But this Error still comes. )

Then this:

But still I think there is Virus or Rootkit on my pc by default


How can you be thinking two opposite things at the same time?

(Sorry .. for my wrong explanation ...)

Attached Files


Edited by Jatin Rạjpura, 25 June 2011 - 11:38 AM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:27 AM

Posted 25 June 2011 - 01:46 PM

Thanks for the explanation :thumbup2:

No idea what is requesting you to update Avast but run the Avast uninstaller in case there's some remnants of a previous antivirus there.

aswMBR finds an unknown MBR so we need to try another tool for an identification

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#10 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 25 June 2011 - 10:24 PM

Dear Helper,

As per your request, you can see Log here below .

--> When I click to run aswMBR, it asked me to download latest Avast definition, u can also check by downloading the file u sent to me.

For MBRCheck.exe Log :

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000002fc

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7AEE000 \WINDOWS\system32\KDCOM.DLL
0xF79FE000 \WINDOWS\system32\BOOTVID.dll
0xF74BF000 ACPI.sys
0xF7AF0000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74AE000 pci.sys
0xF75EE000 isapnp.sys
0xF7BB6000 pciide.sys
0xF786E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75FE000 MountMgr.sys
0xF748F000 ftdisk.sys
0xF7AF2000 dmload.sys
0xF7469000 dmio.sys
0xF7876000 PartMgr.sys
0xF760E000 VolSnap.sys
0xF7451000 atapi.sys
0xF761E000 disk.sys
0xF762E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7431000 fltMgr.sys
0xF741F000 sr.sys
0xF763E000 PxHelp20.sys
0xF7408000 KSecDD.sys
0xF737B000 Ntfs.sys
0xF734E000 NDIS.sys
0xF7334000 Mup.sys
0xF784E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF676E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF675A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6732000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF671B000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF7946000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF66F7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF794E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7956000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF795E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7966000 \??\C:\WINDOWS\system32\drivers\VMkbd.sys
0xF765E000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7ACE000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF6DF5000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6DE5000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6DD5000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF66D4000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7C47000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6DC5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AD6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF66BD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6DB5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6DA5000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF796E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF66AC000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6D95000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7976000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF797E000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF667C000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF6D85000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF665F000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xF6647000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xF7B12000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF65E9000 \SystemRoot\system32\DRIVERS\update.sys
0xF72F7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6401000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF72E7000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0xF72E3000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0xF6D75000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA363000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA33F000 \SystemRoot\system32\drivers\portcls.sys
0xF767E000 \SystemRoot\system32\drivers\drmk.sys
0xF76AE000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B20000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B22000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C29000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B24000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79AE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79B6000 \SystemRoot\System32\drivers\vga.sys
0xF7B26000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B28000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79BE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79C6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF63FD000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA149000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA0F0000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA0C8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA0A2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF63E9000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAA058000 \SystemRoot\System32\drivers\afd.sys
0xF76BE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA043000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xAA018000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9FA8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76CE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF76DE000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA1B8000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xF79DE000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAA1AC000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF772E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7AAA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA9F62000 \SystemRoot\System32\Drivers\usbvideo.sys
0xF774E000 \SystemRoot\system32\drivers\usbaudio.sys
0xAA19C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF775E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9F4A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B34000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7AC6000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78BE000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BC8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xBF453000 \SystemRoot\System32\ATMFD.DLL
0xF78CE000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0xA9E36000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9B9D000 \SystemRoot\system32\drivers\wdmaud.sys
0xF77CE000 \SystemRoot\system32\drivers\sysaudio.sys
0xA97B0000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA987D000 \??\C:\WINDOWS\system32\drivers\hcmon.sys
0xA9C72000 \??\C:\WINDOWS\system32\Drivers\vmci.sys
0xA95A9000 \??\C:\WINDOWS\system32\Drivers\vmx86.sys
0xA941C000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7986000 \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
0xA9484000 \??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
0xA9133000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8F97000 \SystemRoot\system32\DRIVERS\tmcomm.sys
0xA8F85000 \SystemRoot\system32\DRIVERS\tmevtmgr.sys
0xA8F68000 \SystemRoot\system32\DRIVERS\tmactmon.sys
0xA8DAD000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 31):
0 System Idle Process
4 System
1104 C:\WINDOWS\system32\smss.exe
1180 csrss.exe
1204 C:\WINDOWS\system32\winlogon.exe
1248 C:\WINDOWS\system32\services.exe
1260 C:\WINDOWS\system32\lsass.exe
1448 C:\WINDOWS\system32\svchost.exe
1496 svchost.exe
628 C:\WINDOWS\system32\svchost.exe
832 svchost.exe
1056 svchost.exe
1572 C:\WINDOWS\system32\spoolsv.exe
1812 C:\WINDOWS\explorer.exe
1960 C:\WINDOWS\system32\hkcmd.exe
1972 C:\WINDOWS\system32\igfxsrvc.exe
1980 C:\WINDOWS\system32\igfxpers.exe
2032 C:\WINDOWS\RTHDCPL.exe
196 C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe
208 C:\WINDOWS\system32\ctfmon.exe
312 C:\Program Files\Zorpia Notifier\Zorpia Notifier.exe
504 svchost.exe
540 C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
552 C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
564 C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
1916 C:\WINDOWS\system32\svchost.exe
1932 C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
2368 alg.exe
2200 C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
1596 C:\PROGRA~1\FREEDO~1\fdm.exe
1128 C:\Documents and Settings\Jatin_soni\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000011`16a2b400 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000001a`da7f0a00 (NTFS)
\\.\H: --> \\.\PhysicalDrive0 at offset 0x00000007`52c65e00 (NTFS)

PhysicalDrive0 Model Number: ST3160215AS, Rev: 3.AAD

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: A014A00CE76D77960C5D424D97FC4FF67C19C7E8


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:27 AM

Posted 26 June 2011 - 04:51 AM

When I click to run aswMBR, it asked me to download latest Avast definition


Okay, now I understand. Agree to the update when you run aswMBR. :thumbup2:


MBR is still an unknown quantity so I need to see the record itself.

Please do the following:

Run MBRCheck again

When prompted, Enter 'Y' and hit ENTER for more options
When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as dump0.dat

Enter -1 to exit.

Please then locate the files and visit this site and follow the instructions for uploading the file.
Posted Image
m0le is a proud member of UNITE

#12 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 26 June 2011 - 05:02 AM

Dear Helper,

As per your request, I have submited the file at that location ..

When I click to run aswMBR, it asked me to download latest Avast definition


Okay, now I understand. Agree to the update when you run aswMBR. :thumbup2:


MBR is still an unknown quantity so I need to see the record itself.

Please do the following:

Run MBRCheck again

When prompted, Enter 'Y' and hit ENTER for more options
When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as dump0.dat

Enter -1 to exit.

Please then locate the files and visit this site and follow the instructions for uploading the file.


Edited by Jatin Rạjpura, 26 June 2011 - 05:06 AM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:27 AM

Posted 26 June 2011 - 07:06 AM

That shows to be a clean MBR.

Please run Combofix next, this will find anything really nasty on the machine and as there are no rootkits on the system it won't get blocked

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 26 June 2011 - 09:40 AM

Dear Helper,

As per your request, kindly find the attached log file from ComboFix , May if I am not wrong so I can see some Virus .exe so say me how to remove it ..

c:\documents and settings\Jatin_soni\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe

c:\windows\system32\xvid.ax

c:\windows\system32\dpl100.dll

c:\documents and settings\Jatin_soni\Application Data\785016970.exe

#15 Jatin Rạjpura

Jatin Rạjpura
  • Topic Starter

  • Banned Spammer
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 26 June 2011 - 09:44 AM

Dear Helper,

As per your request, kindly find the attached log file from ComboFix , May if I am not wrong so I can see some Virus .exe so say me how to remove it ..

c:\documents and settings\Jatin_soni\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe

c:\windows\system32\xvid.ax

c:\windows\system32\dpl100.dll

c:\documents and settings\Jatin_soni\Application Data\785016970.exe

I have scanned whole Hard Disk with Full Scan option in "House Call - Trend Micro Product" but still nothing error found.

But when just I have connected to internet and Enable Anti Virus after run ComboFix, this error directly comes again for Network Virus scanner.
--> If I click on "More Details" in network virus so i cant see any error and seems like every log cleaned when i open. like this fast action happens.


U can see attached File.

Edited by Jatin Rạjpura, 26 June 2011 - 09:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users