Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defender.exe Security Protection


  • Please log in to reply
18 replies to this topic

#1 Anthony J. Dern

Anthony J. Dern

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 08 September 2011 - 01:30 PM

Wifes computer got the Defender.exe trogan, variant called itself securityProtection. OS is WinXP.

I attempted several of the removal tools i foud online, but none of them would instal. I found some instructions for manually removing the thing, and followed those instructions.

Now, the teltale Scanning Computer window no longer comes up, however, AVG was disabled and would not enable. tried reinstalling AVG and got a message that i did not have permissions. (yes, i am logged in as an administrator). tried installing ESET. it will not install.

MalWareBytes did install, and after installation would start a scan. however it closes about 10 seconds into the scan, and will not restat. a reinstallation will get a scan to start again, with the same results.

Contents of DDS.tst below. GMER will start byt closes prior to scan finishing, so no arc.txt attached..

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Debbie at 11:51:32 on 2011-09-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.357 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\1407388332:1408572588.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\DellDock\DellDock.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\WSED\WSED.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CapsLKNotify\CapsLKNotify.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\Media Experience\PCMAgent.exe
C:\Program Files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Dell\PlayMovie\PMVService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PersistenceThread] c:\windows\system32\PersistenceThread.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [<NO NAME>]
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMAgent] "c:\program files\dell\media experience\PCMAgent.exe"
mRun: [CLMLServer] "c:\program files\dell\media experience\kernel\clml\CLMLSvc.exe"
mRun: [PlayMovie] "c:\program files\dell\playmovie\PMVService.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [grafdtud] c:\documents and settings\debbie\local settings\application data\pigybsibq\xwqivfltssd.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANwAxADUAMwAwADcAMAA1ADMALQBYAEcAKwAxAC0ARgBQADkAKwA2AC0AQgBBAFIAOQBHACsAMQAtAFQAQgA5ACsAMgAtAEYATAArADkALQBYAE8AMwA2ACsAMQAtAEYAOQBNADcAQwArADMALQBGADkATQAxADAAQgArADIALQBGADkATQAxACsAMQAtAFgATwA5ACsAMQAtAEQARABUACsANAAwADkAMQA3AC0AUwBUADkAMABGAEEAUABQACsAMQAtAEQARAA5ADAARgArADEALQBTAFQAMQAyAEYATwBJACsAMQA"&"prod=90"&"ver=9.0.894
StartupFolder: c:\docume~1\debbie\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 205.171.3.65
TCP: Interfaces\{E1CDAEA1-0D70-4040-9D8A-21CED048B385} : DhcpNameServer = 192.168.2.1 205.171.3.65
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igdlogin - igdlogin.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-7-5 14248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-7-19 10384]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-7-5 135936]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-7-5 93952]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-7-5 5088896]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-5 110080]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-6 22712]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-7-5 148056]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-7-5 133472]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-7-5 271328]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-5 157696]
S2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-6 366640]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-5 1684736]
.
=============== Created Last 30 ================
.
2011-09-07 00:47:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-07 00:47:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-07 00:30:56 -------- d-----w- c:\documents and settings\debbie\application data\Malwarebytes
2011-09-07 00:19:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-07 00:19:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-06 23:51:50 48753152 ----a-w- C:\ess_nt32_enu.msi
2011-09-06 13:41:53 -------- d-----w- c:\documents and settings\debbie\local settings\application data\ESET
2011-09-06 13:40:10 -------- d-----w- c:\program files\ESET
2011-09-06 09:17:05 50112 --sha-w- c:\windows\system32\c_62394.nl_
2011-09-05 14:48:54 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-09-04 23:06:30 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-09-04 22:52:55 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-09-04 22:47:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 22:45:50 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-09-04 22:26:08 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-09-04 22:02:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-31 02:09:31 4194304 ----a-w- c:\windows\system32\eaoyrryi.dll
2011-08-13 22:37:02 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-13 22:31:08 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 11:52:47.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:55 AM

Posted 09 September 2011 - 08:54 PM

Anthony J. Dern,

The information provided shows the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\WINDOWS\1407388332:1408572588.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip:
http://download.bleepingcomputer.com/farbar/DummyCreator.zip

Unzip the folder:
•Right-click and select: Extract all…
•Follow the prompts to extract

Open the new folder that appears on the Desktop:
•Double-click DummyCreator/DummyMaker to run the tool.

•Now, copy/paste the following into the blank area:

C:\WINDOWS\1407388332

•Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of making repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Edited by Aaflac, 09 September 2011 - 09:18 PM.

Old duck...


#3 Anthony J. Dern

Anthony J. Dern
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 September 2011 - 12:58 AM

Here are the results.

DummyCreator by Farbar
Ran by Debbie (administrator) on 14-09-2011 at 23:55:28
**************************************************************

C:\WINDOWS\1407388332 [14-09-2011 23:55:29]

== End of log ==

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:55 AM

Posted 15 September 2011 - 10:03 AM

That is the result we want. :thumbup2:


Please do the following running ComboFix first, and the program that follows next. If ComboFix does not run, also press on to the next:


If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version.

Download ComboFix

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications, usually via a right clicking on the System Tray icon. They may interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link


Double-click on ComboFix.exe to run the program.

When given the option, DO install the Recovery Console . This program can come in very handy at times.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



~~~~
Please remove any previous download of TDSSKiller (if used) and download the latest version: TDSSKiller.exe

Execute the file:
XP - Double-click tdsskiller.exe

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply.



Need to see the following in your reply:
**The ComboFix log
**The TDSSKiller log
**Whether TDSSKiller needed a reboot

Edited by Aaflac, 15 September 2011 - 10:04 AM.

Old duck...


#5 Anthony J. Dern

Anthony J. Dern
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 September 2011 - 11:50 AM

the two log files are attached.

Thanks.

Forgot to mention, TDSSKiller did NOt require a reboot.

Attached Files



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:55 AM

Posted 17 September 2011 - 11:57 PM

Let's search for any remnants by doing the scan that follows. You will need to use Internet Explorer for this scan.

Download ESET Online Scanner

Press the ESET Online Scanner download button
  • In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
  • Allow the ActiveX to download, and click: 'Install'
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • *Scan for potentially unwanted applications
      *Scan for potentially unsafe applications
      *Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats are found, click the 'List of found threats', then click Export to text file....
  • Save the file to your Desktop as: ESET Scan.

Please provide the contents of ESET Scan in your reply.

Old duck...


#7 Anthony J. Dern

Anthony J. Dern
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 September 2011 - 04:41 PM

OK,

I unchecked "Remove found threats ".
There was no "Scan unwanted applications" to check
there was no "Advanced Settings button.

the scan log is attached.

Attached Files



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:55 AM

Posted 18 September 2011 - 09:24 PM

Thanks for the info.

Some of the entries ESET identified are in the ComboFix Qoobox\Quarantine. They will be taken care of when we wrap up.

However, there are other entries that were affected by the infection, so you'll need to take the following action:


1. Run Spybot Search and Destroy and click on the Recovery button in the left pane to show the Recovery screen.
Place a checkmark next to the following entries, and press: Purge selected items.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GameVance8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\GameVance9.zip


2. To make sure they are not false positives, let’s get some files analyzed at VirusTotal

First, need to View Hidden Files and Folders in WIndows XP.

Next, in Virus Total, submit each of the following files, one at a time:

C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\searchprotocolhost.exe

Use the 'Browse' button to navigate to the location of each file

Click on a file, and then click the 'Open' button.
The file is now displayed in the Submit Box.

Scroll down and click 'Send File', and wait for the results.

If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'

Once scanned, please provide the link to the results page for each file in your reply.

Once we get the results, we will press on.

Old duck...


#9 Anthony J. Dern

Anthony J. Dern
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 September 2011 - 10:43 PM

Before i go and do something incorrect, i want to clarify.

i installed and ran Spybot Search and Destroy. In the recover screen, there are 20 items under the heading of GameVance. Attached screenshot shows some of them.

However, the two files you mention are not in the list?

will await further instructions.

well, the screen shot is to large to attach. the list includes a DLL, a couple of EXEs, several regestry entries, and other GameVance related stuff.

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:55 AM

Posted 18 September 2011 - 11:47 PM

Is there a way you can obtain a log of what is contained in the Spybot Recovery screen? Can you copy/paste the info?

If not, press on with going to VirusTotal, and the rest of the instructions.

Thanks.

Old duck...


#11 Anthony J. Dern

Anthony J. Dern
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 September 2011 - 12:04 AM

Results from VirusTotal.

http://www.virustotal.com/file-scan/report.html?id=6d15acd23ded2f504f28af1a225b0ad3c0bacff272a884f57a6463093cca8ce5-1316407629

http://www.virustotal.com/file-scan/report.html?id=7a672c467ef8ee1947fc9c99932288722b66628b81d91df191f4732dde98a44f-1316407822

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:55 AM

Posted 19 September 2011 - 07:54 AM

Not getting any results from those links. They just go back to the VirusTotal submit page.

Can you try them again, please?

Or, can you copy/paste the results, if possible...

Thanks.

Old duck...


#13 Anthony J. Dern

Anthony J. Dern
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 September 2011 - 08:16 AM

From bcmwltry.exe, text of results attached.

AhnLab-V32011.09.19.002011.09.19Win-Trojan/Patched.DDAntiVir7.11.14.2282011.09.19W32/PatchLoad.AAntiy-AVL2.0.3.72011.09.19Trojan/Win32.Patched.genAvast4.8.1351.02011.09.18Win32:Patched-WQ [Trj]Avast55.0.677.02011.09.18Win32:Patched-WQ [Trj]AVG10.0.0.11902011.09.19Win32/Katusha.ABitDefender7.22011.09.19Trojan.Patched.HEByteHero1.0.0.12011.09.13-CAT-QuickHeal11.002011.09.19W32.Patchload.OClamAV0.97.0.02011.09.19Trojan.Patched-167Commtouch5.3.2.62011.09.19W32/Patched.GComodo101682011.09.19TrojWare.Win32.Patched.HNDrWeb5.0.2.033002011.09.19Trojan.Starter.1695Emsisoft5.1.0.112011.09.19Packed.Win32.Katusha!IKeSafe7.0.17.02011.09.18-eTrust-Vet36.1.85682011.09.19Win32/Patchload.UF-Prot4.6.2.1172011.09.19W32/Patched.GF-Secure9.0.16440.02011.09.19Trojan.Patched.HEFortinet4.3.370.02011.09.19W32/Patched.MF!trGData222011.09.19Trojan.Patched.HEIkarusT3.1.1.107.02011.09.19Packed.Win32.KatushaJiangmin13.0.9002011.09.18TrojanSpy.Zbot.adxrK7AntiVirus9.113.51502011.09.17TrojanKaspersky9.0.0.8372011.09.19Trojan.Win32.Patched.mfMcAfee5.400.0.11582011.09.19W32/KatushaMcAfee-GW-Edition2010.1D2011.09.19W32/KatushaMicrosoft1.76042011.09.19Virus:Win32/Patchload.ONOD3264752011.09.19Win32/Patched.HNnProtect2011-09-19.012011.09.19-Panda10.0.3.52011.09.18W32/Katusha.BNPCTools8.0.0.52011.09.19Trojan.PaccynPrevx3.02011.09.19-Rising23.76.00.032011.09.19Win32.Loader.liSophos4.69.02011.09.19W32/Patched-AKSUPERAntiSpyware4.40.0.10062011.09.17-TheHacker6.7.0.1.2982011.09.17-TrendMicro9.500.0.10082011.09.19PTCH_KATUSHA.WTrendMicro-HouseCall9.500.0.10082011.09.19PTCH_KATUSHA.WVIPRE105222011.09.19Virus.Win32.Agent.mpq (v)ViRobot2011.9.19.46762011.09.19Win32.Patched.BEVirusBuster14.0.219.02011.09.18Win32.Katusha.GenAdditional informationShow all MD5 : f1adf70c77639812ef745ba8f1af75d2SHA1 : dd5fcb941b43f6dab9b5d2116093637feb8375d2SHA256: 6d15acd23ded2f504f28af1a225b0ad3c0bacff272a884f57a6463093cca8ce5AhnLab-V32011.09.19.002011.09.19Win-Trojan/Patched.DDAntiVir7.11.14.2282011.09.19W32/PatchLoad.AAntiy-AVL2.0.3.72011.09.19Trojan/Win32.Patched.genAvast4.8.1351.02011.09.18Win32:Patched-WQ [Trj]Avast55.0.677.02011.09.18Win32:Patched-WQ [Trj]AVG10.0.0.11902011.09.19Win32/Katusha.ABitDefender7.22011.09.19Trojan.Patched.HEByteHero1.0.0.12011.09.13-CAT-QuickHeal11.002011.09.19W32.Patchload.OClamAV0.97.0.02011.09.19Trojan.Patched-167Commtouch5.3.2.62011.09.19W32/Patched.GComodo101682011.09.19TrojWare.Win32.Patched.HNDrWeb5.0.2.033002011.09.19Trojan.Starter.1695Emsisoft5.1.0.112011.09.19Packed.Win32.Katusha!IKeSafe7.0.17.02011.09.18-eTrust-Vet36.1.85682011.09.19Win32/Patchload.UF-Prot4.6.2.1172011.09.19W32/Patched.GF-Secure9.0.16440.02011.09.19Trojan.Patched.HEFortinet4.3.370.02011.09.19W32/Patched.MF!trGData222011.09.19Trojan.Patched.HEIkarusT3.1.1.107.02011.09.19Packed.Win32.KatushaJiangmin13.0.9002011.09.18TrojanSpy.Zbot.adxrK7AntiVirus9.113.51502011.09.17TrojanKaspersky9.0.0.8372011.09.19Trojan.Win32.Patched.mfMcAfee5.400.0.11582011.09.19W32/KatushaMcAfee-GW-Edition2010.1D2011.09.19W32/KatushaMicrosoft1.76042011.09.19Virus:Win32/Patchload.ONOD3264752011.09.19Win32/Patched.HNnProtect2011-09-19.012011.09.19-Panda10.0.3.52011.09.18W32/Katusha.BNPCTools8.0.0.52011.09.19Trojan.PaccynPrevx3.02011.09.19-Rising23.76.00.032011.09.19Win32.Loader.liSophos4.69.02011.09.19W32/Patched-AKSUPERAntiSpyware4.40.0.10062011.09.17-TheHacker6.7.0.1.2982011.09.17-TrendMicro9.500.0.10082011.09.19PTCH_KATUSHA.WTrendMicro-HouseCall9.500.0.10082011.09.19PTCH_KATUSHA.WVIPRE105222011.09.19Virus.Win32.Agent.mpq (v)ViRobot2011.9.19.46762011.09.19Win32.Patched.BEVirusBuster14.0.219.02011.09.18Win32.Katusha.GenAdditional informationShow all MD5 : f1adf70c77639812ef745ba8f1af75d2SHA1 : dd5fcb941b43f6dab9b5d2116093637feb8375d2SHA256: 6d15acd23ded2f504f28af1a225b0ad3c0bacff272a884f57a6463093cca8ce5http://www.virustotal.com/file-scan/report.html?id=6d15acd23ded2f504f28af1a225b0ad3c0bacff272a884f57a6463093cca8ce5-1316436560

from searchprotocolhost, text of results attached.
http://www.virustotal.com/file-scan/report.html?id=7a672c467ef8ee1947fc9c99932288722b66628b81d91df191f4732dde98a44f-1316437628

Attached Files



#14 Anthony J. Dern

Anthony J. Dern
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 September 2011 - 08:18 AM

the links seam to work this time.

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:55 AM

Posted 19 September 2011 - 02:05 PM

Yes! Thank you.

Just wanted to make sure we are not dealing with false positives…it happens.

Please run the ESET Online Scanner once again and let it take action on the entries found.
This time it should not take as long, as you already downloaded its scanning definitions.


Make sure that the option Remove found threats is checked.

Click Scan

When done, click the List of found threats, then click Export to text file....
Save the file to your Desktop as: ESET2 Scan

Please provide the contents of ESET2 Scan in your reply.

Also, please provide an update as to whether you are still experiencing malware problems.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users