Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 / Katusha.A


  • This topic is locked This topic is locked
66 replies to this topic

#1 kikaman33

kikaman33

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 20 September 2011 - 01:28 PM

My PC seems to be infected by some type of Malware. My antivirus program -- AVG -- showed the PC is infected with Win32/katusha.A although it couldn't get rid of it. I get google redirections and frequent windows security alert pop ups when I start a program stating that Windows Firewall has blocked some features of the program. Tried using MBAM and Superantispyware although both stop midway through.

The DDS log is below and the attach.txt doc attached.

Please note, I tried running GMER but it got shut down and when I tried a second time I got an error message that windows cannot access the specified device, path or file.

Thanks for your help.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Patrick at 11:04:21 on 2011-09-20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1849 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\1717079585:3731990425.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\patrick\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118953582000
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.devinegong.com/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} - hxxps://streaming.endeavors.com/microsoft/streets/clientdownloads/OTAI.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9E3176A2-793A-45E1-81EF-42289DA6DF06} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\patrick\application data\mozilla\firefox\profiles\uy9pr074.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-29 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-29 29712]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-29 243152]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2003-2-10 118784]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [2002-12-18 36064]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-31 1245064]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S3 ATWPKT;ATWPKT;c:\windows\system32\drivers\atwpkt.sys [2004-8-31 19140]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-30 430152]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 VVBETHERNET;Actiontec USB Ethernet Home DSL;c:\windows\system32\drivers\VVBETH.SYS [2004-8-31 34560]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\VVBUSUSB.SYS [2004-8-31 50236]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-20 17:47:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-20 17:47:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-30 19:53:47 -------- d-----w- c:\documents and settings\patrick\application data\webex
2011-08-30 19:53:19 -------- d-----w- c:\program files\WebEx
2011-08-29 23:29:33 -------- d-----w- c:\program files\common files\ODBC
2011-08-29 23:29:33 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-08-29 23:27:06 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-08-29 23:26:42 -------- d-----w- c:\documents and settings\patrick\local settings\application data\Microsoft Help
.
==================== Find3M ====================
.
2011-09-20 17:48:32 7304 ----a-w- c:\windows\TMP0001.TMP
2011-09-15 17:38:27 9706 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 14:15:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 18:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 18:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 11:06:13.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:54 PM

Posted 20 September 2011 - 02:21 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 kikaman33

kikaman33
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 20 September 2011 - 03:37 PM

Thanks for the quick response. I followed instructions but couldn't get combofix to work.

After disabling antivirus and firewall, I downloaded combofix under a new name. When I hit run it started working but then disappeared (kind of like when I tried using Anti-Malware). I tried downloading again with another name, hit run and then got an error message stating "error opening file for writing: C:\32788R22FWJFW\iexplore.exe" It then gives me three options: click abort to stop the installation, retry to try again or ignore to skip this file.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:54 PM

Posted 20 September 2011 - 04:37 PM

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#5 kikaman33

kikaman33
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 20 September 2011 - 08:02 PM

Here's the log

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudXPInternetSecurity.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam2.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadersit.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVcodec.zip Win32/Bagle.gen.zip worm
C:\Program Files\AVG\AVG9\avgchsvx.exe Win32/Patched.HN trojan
C:\Program Files\CDBurnerXP\NMSAccessU.exe Win32/Patched.HN trojan
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe Win32/Patched.HN trojan
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe Win32/Patched.HN trojan
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe Win32/Patched.HN trojan
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE Win32/Patched.HN trojan
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Win32/Patched.HN trojan
C:\Program Files\Intel\ASF Agent\ASFAgent.exe Win32/Patched.HN trojan
C:\Program Files\iPod\bin\iPodService.exe Win32/Patched.HN trojan
C:\Program Files\Java\jre6\bin\jqs.exe Win32/Patched.HN trojan
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe Win32/Patched.HN trojan

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:54 PM

Posted 21 September 2011 - 02:17 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#7 kikaman33

kikaman33
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 21 September 2011 - 03:40 PM

Followed your instructions although I had the same problem as with combofix -- the program just disappeared midway through the scan. I tried a second time after saving with a different name but the same thing happened.

Thanks

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:54 PM

Posted 22 September 2011 - 02:30 PM

Good evening. :)

Download a copy of HiJackThis.msi from here and save it to your Desktop

  • Double click HiJackThis.msi to begin installation.
  • You will need to accept the EULA to install the tool, so check the box and click Next.
  • Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Change... button if you want to choose somewhere else and then click Next
  • Once HJT has installed click Finish to finish - nice and clear this bit!
  • A shortcut will be handily created on your Desktop, so click it to begin.
  • Click on Open the Misc Tools section.
  • Click the Open ADS Spy... button.
  • Uncheck "Quick scan (Windows base folder only)"
  • Click the Scan button to the left of the Save log... button.
  • If there are any detections when the scan has completed, click the Save log... button.
  • When the "Save ADS Spy log..." window open, click the Save button.
  • The log will be displayed in a Notepad window and when you close it, it will be saved by default to your Desktop.
  • Copy and paste the contents of the file adsspy.txt into your next reply, or let me know that the scan was clean.

So long, and thanks for all the fish.

 

 


#9 kikaman33

kikaman33
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 22 September 2011 - 03:05 PM

Wow -- couldn't get this to work either. When I double click I get an error notice stating "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:54 PM

Posted 22 September 2011 - 03:33 PM

OK, this one should work.

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\1717079585:3731990425.exe
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.

So long, and thanks for all the fish.

 

 


#11 kikaman33

kikaman33
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 22 September 2011 - 03:41 PM

Just to be clear and so I don't mess up, at what point should I restart the computer? After posting the contents of the Result.txt?

By the way, thanks for all of your help.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:54 PM

Posted 22 September 2011 - 03:48 PM

My bad, reboot the PC once you've run the tool and then when the wee machine is back up and running, let me have the log.

By the way, thanks for all of your help.

Thank me when i've actually achieved something worthwhile! :whistle:

So long, and thanks for all the fish.

 

 


#13 kikaman33

kikaman33
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 22 September 2011 - 03:53 PM

Nope -- wouldn't work. Got an AutoIt Error that reads "Line 1190 (File "C:\Documents and Settings\Patrick\Desktop\DummyCreator.exe"): Error: Subscript used with non-Array variable."

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:54 PM

Posted 22 September 2011 - 05:57 PM

My bad, part two. Farbar, who coded the tool, was kind enough to take a look and I made a teensie tiny error. Run the tool again, but this time paste the following into the edit box:

C:\WINDOWS\1717079585

So long, and thanks for all the fish.

 

 


#15 kikaman33

kikaman33
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 22 September 2011 - 06:34 PM

Here's the log. Doesn't seem to be much there:


DummyCreator by Farbar
Ran by Patrick (administrator) on 22-09-2011 at 16:26:13
**************************************************************

C:\WINDOWS\1717079585 [22-09-2011 16:26:13]

== End of log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users