Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

00000001.@ BDS/ZAccess.V, 800000cb.@ TR/ATRAPS.Gen2.Trojan, 80000000.@ TR/ATRAPS.Gen.Trojan, n TR/Sirefef.P.389 Trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 go2town

go2town

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 14 August 2012 - 12:54 PM

I have the following recurring malware, according to Avira AntiVir. I attached the gmer log as per the prep guide. Running DDS hangs the whole computer. I'm using WinXP Home.
Could you help to fix this issue? Thanks!

Virus or unwanted program 'BDS/ZAccess.V [backdoor]'
detected in file 'C:\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\00000001.@

Virus or unwanted program 'TR/ATRAPS.Gen2 [trojan]'
detected in file 'C:\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\800000cb.@

Virus or unwanted program 'TR/ATRAPS.Gen [trojan]'
detected in file 'C:\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\80000000.@

Virus or unwanted program 'TR/Sirefef.P.389 [trojan]'
detected in file 'C:\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\n

Virus or unwanted program 'TR/Sirefef.P.389 [trojan]'
detected in file 'C:\Documents and Settings\LIQUID\Local Settings\Application Data\{a0afe051-a965-fa01-755d-d36c15b0d64e}\n

Virus or unwanted program 'TR/Winwebsec.A.3416 [trojan]'
detected in file 'C:\System Volume Information\_restore{00A0FBA4-8A7B-4558-BAF6-C51A17F285BD}\RP347\A0040155.exe

Attached Files

  • Attached File  ark.txt   635bytes   5 downloads

Edited by go2town, 14 August 2012 - 02:10 PM.


BC AdBot (Login to Remove)

 


#2 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 16 August 2012 - 10:25 AM

Hi,

Have you been able to take a look at this? I don't think gmer found any malware from what I've been able to discern. Looks like it just found the Spybot Resident hooks.

I saw other posts with similar threats, where they used ComboFix, TDSSKiller, aswMBR. Should I try these tools first?

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:52 PM

Posted 17 August 2012 - 07:36 PM

Please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 17 August 2012 - 07:37 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 18 August 2012 - 12:44 AM

Thanks for helping, CatByte!

I ran ComboFix, but it hung the computer. I deactivated the Spybot Resident/TeaTimer, as well as Avira AntiVir (umbrella in system tray is closed), and Windows Firewall was off. After starting ComboFix and leaving it for about 80mins, it got as far as:

Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double


The only thing I could do at that point was to shut down the computer using the power button.

I tried running ComboFix twice, with the same result.

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:52 PM

Posted 18 August 2012 - 07:27 AM

please boot into safe mode and try running it from safe mode:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account



If it still wont run in safe mode, then run it using the following command from a run box:



Press the WinKey + R to open a run box:

Copy/paste the following text into the open run box > Click OK

ComboFix /nombr

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 19 August 2012 - 04:00 PM

Running ComboFix in Safemode also resulted in the computer hanging at the same spot noted in my last post.
However, I was able to run combofix (in normal startup mode) via the Run box!

Here's the output log:

ComboFix 12-08-17.03 - LIQUID 19/08/2012 13:58:07.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.157 [GMT -4:00]
Running from: c:\documents and settings\LIQUID\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LIQUID\Local Settings\Application Data\{a0afe051-a965-fa01-755d-d36c15b0d64e}
c:\documents and settings\LIQUID\Local Settings\Application Data\{a0afe051-a965-fa01-755d-d36c15b0d64e}\@
c:\documents and settings\LIQUID\Local Settings\Application Data\{a0afe051-a965-fa01-755d-d36c15b0d64e}\n
c:\windows\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}
c:\windows\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\@
c:\windows\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\n
c:\windows\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\00000001.@
c:\windows\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\80000000.@
c:\windows\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\800000cb.@
c:\windows\system32\SET118.tmp
c:\windows\system32\SET119.tmp
c:\windows\system32\SET11A.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr70.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))
.
.
2012-07-31 15:13 . 2012-08-12 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\6F63A59D846B088E1AB2E4997B07D329
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 13:19 . 2003-04-28 18:28 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2010-11-09 07:52 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2003-04-28 18:27 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2003-04-28 18:27 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2010-11-11 01:37 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2010-11-11 01:37 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2010-11-08 22:53 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2010-11-08 22:52 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2010-11-08 22:52 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2010-11-11 01:37 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2010-11-11 01:37 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2010-11-08 22:52 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2003-04-28 18:39 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2003-04-28 18:27 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2010-11-11 01:37 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2010-11-08 22:53 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2003-04-28 18:39 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2010-11-21 23:57 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2010-11-21 23:57 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2009-08-07 00:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2002-09-23 22:10 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-06 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 40960]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"000StTHK"="000StTHK.exe" [2001-06-24 24576]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"TFNF5"="TFNF5.exe" [2001-08-03 73728]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 237568]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-19 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-13 196608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2010-11-21 169472]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-4-28 155648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [09/11/2010 4:26 AM 136360]
R3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [28/04/2003 6:45 PM 156672]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 12:58 PM 11336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [23/09/2010 3:46 AM 1375992]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-19 14:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-08-19 14:13:16
ComboFix-quarantined-files.txt 2012-08-19 18:13
.
Pre-Run: 24,070,397,952 bytes free
Post-Run: 24,426,098,688 bytes free
.
- - End Of File - - 8934AF8D3999FAC6D0BA02F35883CEDD


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:52 PM

Posted 19 August 2012 - 07:59 PM

Please run the following:

Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c rmdir /f/a/q "c:\documents and settings\All Users\Application Data\6F63A59D846B088E1AB2E4997B07D329"




NEXT

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 20 August 2012 - 04:40 PM

Malwarebytes didn't find a problem.



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.20.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
LIQUID :: SWGENUSE [administrator]

20/08/2012 3:13:52 PM
mbam-log-2012-08-20 (15-13-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183364
Time elapsed: 11 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


#9 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 20 August 2012 - 04:42 PM

ESET found 6 threats.


C:\Qoobox\Quarantine\C\Documents and Settings\LIQUID\Local Settings\Application Data\{a0afe051-a965-fa01-755d-d36c15b0d64e}\n.vir a variant of Win32/Kryptik.AJEE trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\n.vir a variant of Win32/Kryptik.AJEE trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\00000001.@.vir Win32/Conedex.I trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{a0afe051-a965-fa01-755d-d36c15b0d64e}\U\800000cb.@.vir probably a variant of Win32/Agent.TEO trojan
C:\System Volume Information\_restore{00A0FBA4-8A7B-4558-BAF6-C51A17F285BD}\RP347\A0040155.exe a variant of Win32/Kryptik.AJFP trojan


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:52 PM

Posted 20 August 2012 - 09:15 PM

all of those detections are either in quarantine or old restore points which cant harm the computer (we will clean those up at the end)

please run the following:


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.



NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 August 2012 - 01:38 PM

Hi CatByte,

My computer has been running fine so far. There are no more recurring threat warnings from Avira. Shall I dare say we have victory?!

Is there any compromise or exposure from using the /nombr option of ComboFix? Does the use of that option cause combofix to skip a certain scan? If so, did one of the other scanners we used (such as Malwarebytes or ESET) cover the part of the scan that was skipped by combofix?

Here's the MiniToolBox result:

MiniToolBox by Farbar Version: 23-07-2012
Ran by LIQUID (administrator) on 21-08-2012 at 13:38:11
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

7-Zip 4.65
Ad-Aware
Ad-Aware (Version: 8.3.0)
Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.271)
Adobe Reader 9.5.2 (Version: 9.5.2)
Alps Pointing-device Driver
APOLLO P-2100U Series Printer
Avira AntiVir Personal - Free Antivirus (Version: 10.2.0.700)
Drag'n Drop CD+DVD
DVD-RAM Driver
ESET Online Scanner v3
Intel® Extreme Graphics Driver
Intel® Network Connections Drivers
InterVideo WinDVD 4
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Logitech Desktop Messenger
Logitech ImageStudio (Version: 7.30.0000)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework (English) (Version: 1.0.3705)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
OpenOffice.org 3.3 (Version: 3.3.9567)
SeaTools for Windows (Version: 1.2.0.4)
Skype™ 5.3 (Version: 5.3.120)
SoundMAX
Spybot - Search & Destroy (Version: 1.6.2)
System Requirements Lab for Intel (Version: 4.3.13.0)
TOSHIBA ConfigFree
TOSHIBA Console
Toshiba Hotkey Utility for Display Devices
TOSHIBA Power Saver
Toshiba Registration (Version: 1.00.0000)
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765) (Version: 1)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
WebFldrs XP (Version: 9.50.6513)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)

**** End of log ****


#12 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 August 2012 - 01:41 PM

Here's the FSS log:

Farbar Service Scanner Version: 06-08-2012
Ran by LIQUID (administrator) on 21-08-2012 at 13:43:37
Running from "C:\Documents and Settings\LIQUID\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:52 PM

Posted 21 August 2012 - 02:14 PM

it skips the MBR, I want you to run the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.



NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Your Java is out of date, so go to Start > Control Panel > Add/Remove Programs > scroll down to the old Java installation(s) and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 August 2012 - 04:53 PM

The link to aswMBR.exe isn't working. It times out. This also happens when I try to download from your Downloads section
http://www.bleepingcomputer.com/download/aswmbr/

I'll try again later today.

#15 go2town

go2town
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 August 2012 - 11:55 PM

While aswMBR was scanning C:\WINDOWS, Avira reported a threat:

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\LIQUID\Local Settings\temp\_avast4_\unp181593938.tmp




aswMBR did finish successfully, with the following log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-21 22:44:57
-----------------------------
22:44:57.394 OS Version: Windows 5.1.2600 Service Pack 3
22:44:57.394 Number of processors: 1 586 0x209
22:44:57.394 ComputerName: SWGENUSE UserName:
22:44:58.536 Initialize success
22:54:32.181 AVAST engine defs: 12082100
22:55:06.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:55:06.390 Disk 0 Vendor: IC25N040ATMR04-0 MO2OAD0A Size: 38154MB BusType: 3
22:55:06.410 Disk 0 MBR read successfully
22:55:06.410 Disk 0 MBR scan
22:55:06.680 Disk 0 Windows XP default MBR code
22:55:06.720 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
22:55:06.850 Disk 0 scanning sectors +78140160
22:55:07.251 Disk 0 scanning C:\WINDOWS\system32\drivers
22:55:46.968 Service scanning
22:56:18.153 Modules scanning
22:56:32.704 Disk 0 trace - called modules:
22:56:32.724 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:56:32.724 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85728030]
22:56:32.734 3 CLASSPNP.SYS[f763ffd7] -> nt!IofCallDriver -> \Device\0000006d[0x85784f18]
22:56:32.744 5 ACPI.sys[f75b6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x85753700]
22:56:33.525 AVAST engine scan C:\WINDOWS
22:57:35.084 AVAST engine scan C:\WINDOWS\system32
23:05:22.265 AVAST engine scan C:\WINDOWS\system32\drivers
23:06:11.736 AVAST engine scan C:\Documents and Settings\LIQUID
23:09:50.291 AVAST engine scan C:\Documents and Settings\All Users
23:11:00.502 Scan finished successfully
00:29:45.173 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LIQUID\Desktop\MBR.dat"
00:29:45.173 The log file has been saved successfully to "C:\Documents and Settings\LIQUID\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   509bytes   2 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users