Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BOO/Whistler infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 Nemo_one

Nemo_one

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 26 August 2012 - 07:54 PM

Hi!

I got warned by Avira for BOO/whistler rootkit on hard drive D. Avira isn't able to remove the rootkit.
OS is Windows 7 64bit fresh install. There are partitions C: system (a new hard drive with fresh install), and D, E (old hard drive with windows xp).
Here are the DDS and GMER logs (GMER had many of it's options grayed out, registry and files, its empty since it didnt found nothing), hope you can help me.

Attached Files


Edited by Nemo_one, 27 August 2012 - 03:09 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:33 PM

Posted 27 August 2012 - 03:03 PM

Good evening. :)

Will you post the contents of DDS.txt that should have been created when you ran DDS - you have attached the secondary log, attach.txt, but the not the primary, more important, one.

So long, and thanks for all the fish.

 

 


#3 Nemo_one

Nemo_one
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 August 2012 - 03:09 PM

Good evening, i have attached DDS.txt log (overseen it in a solving hurry :)

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Ratko at 2:44:41 on 2012-08-27
Microsoft Windows 7 Professional 6.1.7600.0.1250.385.1033.18.4045.2423 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ratko\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
uRun: [Google Update] "C:\Users\Ratko\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: Interfaces\{4D0A99F0-17CB-4360-AF9A-443DD1B4E5AC} : NameServer = 195.29.149.197 195.29.166.117
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun-x64: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\system32\DRIVERS\iusb3hcs.sys --> C:\Windows\system32\DRIVERS\iusb3hcs.sys [?]
R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-8-27 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-8-27 110032]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-8-27 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-2 628448]
R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2012-8-27 128280]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-8-27 161560]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-8-27 363800]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\iusb3hub.sys --> C:\Windows\system32\DRIVERS\iusb3hub.sys [?]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\system32\DRIVERS\iusb3xhc.sys --> C:\Windows\system32\DRIVERS\iusb3xhc.sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-4-1 183560]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-08-27 00:30:17 -------- d-----w- C:\Program Files (x86)\ESET
2012-08-27 00:12:07 -------- d-----w- C:\Users\Ratko\AppData\Roaming\Avira
2012-08-27 00:07:59 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-08-27 00:07:59 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-08-27 00:07:59 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-08-27 00:07:59 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-08-27 00:07:55 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-08-27 00:07:55 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-08-27 00:07:29 98848 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-08-27 00:07:29 27760 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2012-08-27 00:07:28 -------- d-----w- C:\ProgramData\Avira
2012-08-27 00:07:28 -------- d-----w- C:\Program Files (x86)\Avira
2012-08-27 00:02:26 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-08-27 00:02:24 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-08-27 00:02:24 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-08-27 00:02:24 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-08-26 23:54:13 9309624 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DBA022E6-305B-4218-ACA7-30EC2C2DDA59}\mpengine.dll
2012-08-26 23:54:13 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-08-26 23:51:25 -------- d-----w- C:\Users\Ratko\AppData\Local\Google
2012-08-26 23:51:12 -------- d-----w- C:\Users\Ratko\AppData\Local\Deployment
2012-08-26 23:51:12 -------- d-----w- C:\Users\Ratko\AppData\Local\Apps
2012-08-26 23:33:35 -------- d-----w- C:\Program Files (x86)\Common Files\Intel Corporation
2012-08-26 23:32:18 -------- d-----w- C:\Users\Ratko\AppData\Roaming\Intel Corporation
2012-08-26 23:30:20 15128 ----a-r- C:\Windows\System32\drivers\IntelMEFWVer.dll
2012-08-26 23:30:05 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2012-08-26 23:29:48 60184 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2012-08-26 23:29:28 568600 ----a-w- C:\Windows\System32\drivers\iaStor.sys
2012-08-26 23:25:56 16152 ----a-w- C:\Windows\System32\drivers\iusb3hcs.sys
2012-08-26 23:25:47 356120 ----a-w- C:\Windows\System32\drivers\iusb3hub.sys
2012-08-26 23:25:46 787736 ----a-w- C:\Windows\System32\drivers\iusb3xhc.sys
2012-08-26 23:21:52 53248 ----a-r- C:\Windows\SysWow64\CSVer.dll
2012-08-26 23:21:39 -------- d-----w- C:\Intel
2012-08-26 23:11:36 -------- d-----w- C:\Users\Ratko\AppData\Local\VirtualStore
2012-08-26 23:11:06 -------- d-----w- C:\Program Files (x86)\Microsoft
2012-08-26 23:08:59 29962240 ----a-w- C:\ProgramData\Microsoft\OEMOffice14\Office14\SingleImage.WW\SingleImageWW.msi
2012-08-26 23:04:59 0 ----a-w- C:\Windows\ativpsrm.bin
.
==================== Find3M ====================
.
.
============= FINISH: 2:44:56,08 ===============

Edited by Noviciate, 27 August 2012 - 04:02 PM.
Added DDS from attachment.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:33 PM

Posted 27 August 2012 - 04:04 PM

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#5 Nemo_one

Nemo_one
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 August 2012 - 04:16 PM

Here is the aswMBR.txt. Hope it helps in solving the problem. Waiting for your reply :)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-27 23:06:43
-----------------------------
23:06:43.058 OS Version: Windows x64 6.1.7600
23:06:43.058 Number of processors: 2 586 0x2A07
23:06:43.058 ComputerName: RATKO-PC UserName: Ratko
23:06:43.214 Initialize success
23:09:42.897 AVAST engine defs: 12082700
23:11:45.741 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:11:45.741 Disk 0 Vendor: OCZ-AGIL 2.15 Size: 114473MB BusType: 3
23:11:45.741 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
23:11:45.741 Disk 1 Vendor: WDC_WD40 12.0 Size: 381554MB BusType: 3
23:11:45.756 Disk 0 MBR read successfully
23:11:45.756 Disk 0 MBR scan
23:11:45.756 Disk 0 Windows 7 default MBR code
23:11:45.756 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
23:11:45.756 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 114371 MB offset 206848
23:11:45.772 Disk 0 scanning C:\Windows\system32\drivers
23:11:50.312 Service scanning
23:11:57.425 Modules scanning
23:11:57.425 Disk 0 trace - called modules:
23:11:57.425 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
23:11:57.425 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006024060]
23:11:57.441 3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> [0xfffffa800391f5d0]
23:11:57.441 5 ACPI.sys[fffff88000f92781] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8003924050]
23:11:57.566 AVAST engine scan C:\Windows
23:11:58.112 AVAST engine scan C:\Windows\system32
23:13:12.040 AVAST engine scan C:\Windows\system32\drivers
23:13:15.987 AVAST engine scan C:\Users\Ratko
23:13:47.639 AVAST engine scan C:\ProgramData
23:13:51.243 Scan finished successfully
23:14:26.265 Disk 0 MBR has been saved successfully to "C:\Users\Ratko\Desktop\MBR.dat"
23:14:26.265 The log file has been saved successfully to "C:\Users\Ratko\Desktop\aswMBR.txt"

Attached Files


Edited by Noviciate, 27 August 2012 - 04:17 PM.
Added log from attachment.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:33 PM

Posted 27 August 2012 - 04:18 PM

Unless specifically stated, please copy and past information rather than adding it as an attachment - i'll only edit it into your post to make it easier to review.

I got warned by Avira for BOO/whistler rootkit on hard drive D. Avira isn't able to remove the rootkit.

Can you tell me the exact location, filename and path, that was flagged.

So long, and thanks for all the fish.

 

 


#7 Nemo_one

Nemo_one
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 August 2012 - 04:23 PM

Ok, sorry, i thought it was "cleaner" with txt attaching. Ill post the contents from now on.

Avira reports BOO/Whistler on every windows startup, and this is the report:

Master boot sector HD1
[DETECTION] Contains code of the BOO/Whistler boot sector virus
[NOTE] The boot sector has not been repaired!
Boot sector 'D:\'
[DETECTION] Contains code of the BOO/Whistler boot sector virus
[NOTE] The boot sector has not been repaired!
Boot sector 'E:\'
[DETECTION] Contains code of the BOO/Whistler boot sector virus
[NOTE] The boot sector has not been repaired!

Edited by Nemo_one, 27 August 2012 - 05:16 PM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:33 PM

Posted 28 August 2012 - 02:44 PM

Good evening. :)

...i thought it was "cleaner" with txt attaching...

It possibly is, but it's a pain if I have to open an attachment every time I want to review the information that it contains.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive. Plug the flashdrive into the infected PC and then enter System Recovery Options.

  • To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

  • Select Command Prompt.
  • In the Command Window type in notepad and hit <ENTER>.
  • When a notepad window opens, under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and hit <ENTER>.

    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • A log, called FRST.txt, will be created on the flash drive - please copy and paste the contents in your reply.

Also, do you boot into Windows XP at all, or are you just using the drive that it happens to contain?

So long, and thanks for all the fish.

 

 


#9 Nemo_one

Nemo_one
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 August 2012 - 04:10 PM

here are the contents

Scan result of Farbar Recovery Scan Tool Version: 28-08-2012
Ran by SYSTEM at 28-08-2012 23:06:24
Running from H:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [13307496 2011-10-16] (Realtek Semiconductor)
HKLM-x32\...\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-01-26] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [133400 2012-02-07] (Intel Corporation)
HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [202296 2011-04-24] (Kaspersky Lab ZAO)
Winlogon\Notify\klogon: %SystemRoot%\System32\klogon.dll (Kaspersky Lab ZAO)

==================== Services (Whitelisted) ======

2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" -r [202296 2011-04-24] (Kaspersky Lab ZAO)
2 Intel® Capability Licensing Service Interface; "C:\Program Files\Intel\iCLS Client\HeciServer.exe" [628448 2012-02-02] (Intel® Corporation)
2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-07] ()
2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [363800 2012-02-07] (Intel Corporation)

==================== Drivers (Whitelisted) ===================

3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-08-26] ()
0 iusb3hcs; C:\Windows\System32\Drivers\iusb3hcs.sys [16152 2012-01-26] (Intel Corporation)
3 iusb3hub; C:\Windows\System32\Drivers\iusb3hub.sys [356120 2012-01-26] (Intel Corporation)
3 iusb3xhc; C:\Windows\System32\Drivers\iusb3xhc.sys [787736 2012-01-26] (Intel Corporation)
0 KL1; C:\Windows\System32\Drivers\KL1.sys [460888 2011-03-04] (Kaspersky Lab ZAO)
1 kl2; C:\Windows\System32\Drivers\kl2.sys [11864 2011-03-04] (Kaspersky Lab ZAO)
1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [615728 2012-08-28] (Kaspersky Lab)
1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [29488 2011-03-10] (Kaspersky Lab ZAO)
3 klmouflt; C:\Windows\System32\Drivers\klmouflt.sys [22544 2009-11-02] (Kaspersky Lab)

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-08-28 23:06 - 2012-08-28 23:06 - 00000000 ____D C:\FRST
2012-08-28 12:55 - 2012-08-28 12:55 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-08-28 03:57 - 2012-08-28 04:12 - 00153053 ____A C:\Windows\System32\Drivers\klin.dat
2012-08-28 03:57 - 2012-08-28 04:12 - 00107384 ____A C:\Windows\System32\Drivers\klick.dat
2012-08-28 03:56 - 2012-08-28 12:34 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-08-28 03:56 - 2012-08-28 03:56 - 00615728 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\klif.sys
2012-08-28 03:56 - 2012-08-28 03:56 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2012-08-28 03:53 - 2012-08-28 03:53 - 00009249 ____A C:\ComboFix.txt
2012-08-28 03:47 - 2012-08-28 03:53 - 00000000 ____D C:\Qoobox
2012-08-28 03:47 - 2012-08-28 03:53 - 00000000 ____D C:\ComboFix
2012-08-28 03:47 - 2012-08-28 03:50 - 00000000 ____D C:\Windows\erdnt
2012-08-28 03:47 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-28 03:47 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-28 03:47 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-28 03:47 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-28 03:47 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-28 03:47 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-28 03:47 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-28 03:47 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-28 03:38 - 2012-08-28 03:39 - 04738472 ____R (Swearware) C:\Users\Ratko\Desktop\ComboFix.exe
2012-08-27 15:00 - 2012-08-27 15:00 - 00007605 ____A C:\Users\Ratko\AppData\Local\Resmon.ResmonCfg
2012-08-27 14:46 - 2012-08-27 14:46 - 00017408 ____A C:\Users\Ratko\AppData\Local\WebpageIcons.db
2012-08-27 14:42 - 2012-08-27 14:42 - 00000000 ____D C:\Windows\System32\appmgmt
2012-08-27 14:31 - 2012-08-27 14:31 - 00000000 ____D C:\Matrix Games
2012-08-27 14:23 - 2012-08-27 14:23 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-08-27 14:21 - 2012-08-27 14:21 - 00000000 ____D C:\Users\Ratko\Desktop\tdsskiller
2012-08-27 14:17 - 2012-08-27 14:17 - 02193184 ____A C:\Users\Ratko\Desktop\tdsskiller.zip
2012-08-27 13:14 - 2012-08-27 13:14 - 00002044 ____A C:\Users\Ratko\Desktop\aswMBR.txt
2012-08-27 13:14 - 2012-08-27 13:14 - 00000512 ____A C:\Users\Ratko\Desktop\MBR.dat
2012-08-27 13:06 - 2012-08-27 13:06 - 04731392 ____A (AVAST Software) C:\Users\Ratko\Desktop\aswMBR.exe
2012-08-26 17:30 - 2012-08-26 17:30 - 00000000 ____D C:\Users\Ratko\AppData\Roaming\Malwarebytes
2012-08-26 16:52 - 2012-08-26 16:52 - 00000000 ____A C:\Users\Ratko\Desktop\ark.txt
2012-08-26 16:46 - 2012-08-26 16:46 - 00294216 ____A C:\Users\Ratko\Desktop\gmer.zip
2012-08-26 16:46 - 2012-08-26 16:46 - 00000000 ____D C:\Users\Ratko\Desktop\gmer
2012-08-26 16:45 - 2012-08-26 16:45 - 00012387 ____A C:\Users\Ratko\Desktop\DDS.txt
2012-08-26 16:45 - 2012-08-26 16:45 - 00003178 ____A C:\Users\Ratko\Desktop\Attach.txt
2012-08-26 16:43 - 2012-08-26 16:43 - 00607260 ____R (Swearware) C:\Users\Ratko\Desktop\dds.com
2012-08-26 16:09 - 2012-08-28 03:50 - 00077980 ____A C:\Windows\PFRO.log
2012-08-26 16:07 - 2012-02-14 22:27 - 01031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-08-26 16:07 - 2012-02-14 21:44 - 00826368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-08-26 16:07 - 2012-02-14 20:47 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-08-26 16:07 - 2012-02-14 20:46 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-08-26 16:07 - 2010-01-08 23:19 - 00139264 ____A (Microsoft Corporation) C:\Windows\System32\cabview.dll
2012-08-26 16:07 - 2010-01-08 22:52 - 00132608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cabview.dll
2012-08-26 16:02 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-08-26 16:02 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-08-26 16:02 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-08-26 16:02 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-08-26 16:02 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-08-26 16:02 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-08-26 16:02 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-08-26 16:02 - 2012-06-02 05:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-08-26 16:02 - 2012-06-02 05:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-08-26 15:54 - 2012-05-31 02:25 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-08-26 15:53 - 2012-08-26 15:53 - 00002329 ____A C:\Users\Ratko\Desktop\Google Chrome.lnk
2012-08-26 15:52 - 2012-08-26 15:52 - 90098552 ____A C:\Users\Ratko\Downloads\avira_free_antivirus_en.exe
2012-08-26 15:51 - 2012-08-28 13:01 - 00000958 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2111497008-2276002318-1748161448-1000UA.job
2012-08-26 15:51 - 2012-08-27 16:01 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2111497008-2276002318-1748161448-1000Core.job
2012-08-26 15:51 - 2012-08-26 15:53 - 00000000 ____D C:\Users\Ratko\AppData\Local\Google
2012-08-26 15:51 - 2012-08-26 15:51 - 00000000 ____D C:\Users\Ratko\AppData\Local\Deployment
2012-08-26 15:51 - 2012-08-26 15:51 - 00000000 ____D C:\Users\Ratko\AppData\Local\Apps\2.0
2012-08-26 15:32 - 2012-08-26 15:32 - 00000000 ____D C:\Users\Ratko\AppData\Roaming\Intel Corporation
2012-08-26 15:32 - 2012-08-26 15:32 - 00000000 ____A C:\Users\Ratko\agent.log
2012-08-26 15:30 - 2012-08-28 12:00 - 00000828 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2012-08-26 15:30 - 2012-08-26 15:32 - 00000830 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2012-08-26 15:30 - 2012-08-26 15:30 - 00000000 ____D C:\Users\All Users\Intel
2012-08-26 15:30 - 2012-08-26 15:30 - 00000000 ____D C:\Program Files\Intel
2012-08-26 15:30 - 2012-02-07 01:40 - 00015128 ___RA C:\Windows\System32\Drivers\IntelMEFWVer.dll
2012-08-26 15:29 - 2012-08-26 15:29 - 00000000 ____D C:\Users\Ratko\AppData\Roaming\InstallShield
2012-08-26 15:29 - 2011-11-29 09:40 - 00568600 ____A (Intel Corporation) C:\Windows\System32\Drivers\iaStor.sys
2012-08-26 15:29 - 2011-11-09 09:04 - 00060184 ____A (Intel Corporation) C:\Windows\System32\Drivers\HECIx64.sys
2012-08-26 15:25 - 2012-08-26 15:25 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_iusb3hcs_01009.Wdf
2012-08-26 15:25 - 2012-01-26 09:39 - 00787736 ____A (Intel Corporation) C:\Windows\System32\Drivers\iusb3xhc.sys
2012-08-26 15:25 - 2012-01-26 09:39 - 00356120 ____A (Intel Corporation) C:\Windows\System32\Drivers\iusb3hub.sys
2012-08-26 15:25 - 2012-01-26 09:39 - 00016152 ____A (Intel Corporation) C:\Windows\System32\Drivers\iusb3hcs.sys
2012-08-26 15:24 - 2012-08-26 15:29 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-08-26 15:24 - 2012-08-26 15:24 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2012-08-26 15:24 - 2012-08-26 15:24 - 00000000 ____D C:\Program Files\Realtek
2012-08-26 15:24 - 2012-08-26 15:24 - 00000000 ____D C:\Program Files (x86)\Realtek
2012-08-26 15:24 - 2011-10-18 03:53 - 02957544 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\Drivers\RTKVHD64.sys
2012-08-26 15:24 - 2011-10-18 02:10 - 00099432 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RCoInst64.dll
2012-08-26 15:24 - 2011-10-18 00:41 - 00150996 ____A C:\Windows\System32\Drivers\RTAIODAT.DAT
2012-08-26 15:24 - 2011-10-17 21:55 - 00331880 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RtlCPAPI64.dll
2012-08-26 15:24 - 2011-10-17 21:47 - 01914472 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RtkApi64.dll
2012-08-26 15:24 - 2011-10-17 19:05 - 02528872 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RtPgEx64.dll
2012-08-26 15:24 - 2011-10-17 01:30 - 03213928 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RtkAPO64.dll
2012-08-26 15:24 - 2011-10-10 23:37 - 00626264 ____A (Creative Technology Ltd.) C:\Windows\System32\MBTHX64.dll
2012-08-26 15:24 - 2011-10-10 23:37 - 00561240 ____A (Creative Technology Ltd.) C:\Windows\SysWOW64\MBTHX32.dll
2012-08-26 15:24 - 2011-08-31 03:12 - 01698408 ___RA (Realtek Semiconductor Corp.) C:\Windows\RtlExUpd.dll
2012-08-26 15:24 - 2011-08-23 05:57 - 00565352 ____A (Realtek ) C:\Windows\System32\Drivers\Rt64win7.sys
2012-08-26 15:24 - 2011-08-23 05:57 - 00107552 ____A (Realtek Semiconductor Corporation) C:\Windows\System32\RTNUninst64.dll
2012-08-26 15:24 - 2011-08-23 05:57 - 00074272 ____A C:\Windows\System32\RtNicProp64.dll
2012-08-26 15:24 - 2011-08-19 05:10 - 00886360 ____A (Creative Technology Ltd.) C:\Windows\System32\MBAPO64.dll
2012-08-26 15:24 - 2011-08-19 05:10 - 00746072 ____A (Creative Technology Ltd.) C:\Windows\SysWOW64\MBAPO32.dll
2012-08-26 15:24 - 2011-07-27 08:55 - 02604376 ____A (Waves Audio Ltd.) C:\Windows\System32\WavesGUILib.dll
2012-08-26 15:24 - 2011-07-27 08:55 - 02132824 ____A (Waves Audio Ltd.) C:\Windows\System32\MaxxAudioEQ.dll
2012-08-26 15:24 - 2011-07-22 03:35 - 01247848 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RTCOM64.dll
2012-08-26 15:24 - 2011-06-30 00:14 - 01560168 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RTSnMg64.cpl
2012-08-26 15:24 - 2011-05-04 23:24 - 02085440 ____A (Fortemedia Corporation) C:\Windows\System32\FMAPO64.dll
2012-08-26 15:24 - 2010-11-07 15:31 - 00375128 ____A (Dolby Laboratories, Inc.) C:\Windows\System32\RTEEP64A.dll
2012-08-26 15:24 - 2010-11-07 15:31 - 00310104 ____A (Dolby Laboratories, Inc.) C:\Windows\System32\RP3DHT64.dll
2012-08-26 15:24 - 2010-11-07 15:31 - 00310104 ____A (Dolby Laboratories, Inc.) C:\Windows\System32\RP3DAA64.dll
2012-08-26 15:24 - 2010-11-07 15:31 - 00204120 ____A (Dolby Laboratories, Inc.) C:\Windows\System32\RTEED64A.dll
2012-08-26 15:24 - 2010-11-07 15:31 - 00101208 ____A (Dolby Laboratories, Inc.) C:\Windows\System32\RTEEL64A.dll
2012-08-26 15:24 - 2010-11-07 15:31 - 00078680 ____A (Dolby Laboratories, Inc.) C:\Windows\System32\RTEEG64A.dll
2012-08-26 15:24 - 2010-11-03 02:30 - 00149608 ____A (Realtek Semiconductor Corp.) C:\Windows\System32\RtkCfg64.dll
2012-08-26 15:24 - 2010-10-15 03:20 - 02261764 ____A C:\Windows\System32\Drivers\rtvienna.dat
2012-08-26 15:24 - 2010-09-26 17:34 - 00318808 ____A (Waves Audio Ltd.) C:\Windows\System32\MaxxAudioAPO20.dll
2012-08-26 15:24 - 2010-07-22 00:37 - 00200800 ____A (Andrea Electronics Corporation) C:\Windows\System32\AERTAC64.dll
2012-08-26 15:24 - 2010-07-02 03:40 - 00080984 ____A (Creative Technology Ltd.) C:\Windows\System32\MBWrp64.dll
2012-08-26 15:24 - 2009-11-23 17:55 - 00518896 ____A (SRS Labs, Inc.) C:\Windows\System32\SRSTSX64.dll
2012-08-26 15:24 - 2009-11-23 17:55 - 00211184 ____A (SRS Labs, Inc.) C:\Windows\System32\SRSTSH64.dll
2012-08-26 15:24 - 2009-11-23 17:55 - 00198896 ____A (SRS Labs, Inc.) C:\Windows\System32\SRSHP64.dll
2012-08-26 15:24 - 2009-11-23 17:55 - 00155888 ____A (SRS Labs, Inc.) C:\Windows\System32\SRSWOW64.dll
2012-08-26 15:24 - 2009-11-17 15:12 - 00032344 ____A (Creative Technology Ltd.) C:\Windows\System32\Drivers\MBfilt64.sys
2012-08-26 15:24 - 2009-11-17 02:12 - 00108960 ____A (Andrea Electronics Corporation) C:\Windows\System32\AERTAR64.dll
2012-08-26 15:21 - 2012-08-26 15:30 - 00000000 ____D C:\Program Files (x86)\Intel
2012-08-26 15:21 - 2012-08-26 15:21 - 00000000 ____D C:\Intel
2012-08-26 15:21 - 2011-12-05 23:55 - 00053248 ___RA (Windows XP Bundled build C-Centric Single User) C:\Windows\SysWOW64\CSVer.dll
2012-08-26 15:11 - 2012-08-26 15:11 - 00000000 ____D C:\Users\Ratko\AppData\Local\VirtualStore
2012-08-26 15:10 - 2012-08-26 15:10 - 00000195 ____A C:\Windows\DirectX.log
2012-08-26 15:10 - 2012-08-26 15:10 - 00000000 ____D C:\Windows\PCHEALTH
2012-08-26 15:10 - 2012-08-26 15:10 - 00000000 ____D C:\Windows\en
2012-08-26 15:10 - 2012-08-26 15:10 - 00000000 ____D C:\Program Files\Windows Live
2012-08-26 15:10 - 2012-08-26 15:10 - 00000000 ____D C:\Program Files (x86)\Windows Live
2012-08-26 15:10 - 2012-08-26 15:10 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-08-26 15:10 - 2011-05-13 05:37 - 00048488 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fssfltr.sys
2012-08-26 15:10 - 2009-09-04 07:44 - 00515416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_5.dll
2012-08-26 15:10 - 2009-09-04 07:44 - 00069464 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_3.dll
2012-08-26 15:10 - 2009-09-04 07:29 - 00523088 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_42.dll
2012-08-26 15:10 - 2009-09-04 07:29 - 00453456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_42.dll
2012-08-26 15:10 - 2006-11-29 03:06 - 04398360 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_32.dll
2012-08-26 15:10 - 2006-11-29 03:06 - 03426072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_32.dll
2012-08-26 15:09 - 2012-08-28 13:04 - 00388056 ____A C:\Windows\WindowsUpdate.log
2012-08-26 15:09 - 2012-08-26 15:49 - 00000000 ____D C:\Users\Ratko\AppData\Local\Windows Live
2012-08-26 15:09 - 2012-08-26 15:09 - 00057560 ____A C:\Users\Ratko\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-26 15:09 - 2012-08-26 15:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-08-26 15:09 - 2012-08-26 15:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2012-08-26 15:09 - 2010-08-10 21:19 - 03860992 ____A (Microsoft Corporation) C:\Windows\System32\UIRibbon.dll
2012-08-26 15:09 - 2010-08-10 21:13 - 01164800 ____A (Microsoft Corporation) C:\Windows\System32\UIRibbonRes.dll
2012-08-26 15:09 - 2010-08-10 20:44 - 02983424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIRibbon.dll
2012-08-26 15:09 - 2010-08-10 20:35 - 01164800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIRibbonRes.dll
2012-08-26 15:09 - 2010-05-23 02:15 - 01619456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2012-08-26 15:09 - 2010-05-23 02:11 - 03181568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2012-08-26 15:09 - 2010-05-23 02:11 - 00196608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfreadwrite.dll
2012-08-26 15:09 - 2010-05-23 00:37 - 01888256 ____A (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2012-08-26 15:09 - 2010-05-23 00:35 - 04068864 ____A (Microsoft Corporation) C:\Windows\System32\mf.dll
2012-08-26 15:09 - 2010-05-23 00:35 - 00257024 ____A (Microsoft Corporation) C:\Windows\System32\mfreadwrite.dll
2012-08-26 15:09 - 2010-05-23 00:35 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\mfps.dll
2012-08-26 15:08 - 2012-08-26 15:32 - 00000000 ____D C:\users\Ratko
2012-08-26 15:08 - 2012-08-26 15:08 - 00000020 ___SH C:\Users\Ratko\ntuser.ini
2012-08-26 15:08 - 2012-08-26 15:08 - 00000000 ____D C:\Recovery
2012-08-26 15:05 - 2012-08-26 15:05 - 00001313 ____A C:\Windows\TSSysprep.log
2012-08-26 15:04 - 2012-08-26 15:04 - 00000000 ____A C:\Windows\ativpsrm.bin

==================== 3 Months Modified Files ================================

2012-08-28 13:04 - 2012-08-26 15:09 - 00388056 ____A C:\Windows\WindowsUpdate.log
2012-08-28 13:04 - 2009-07-13 20:45 - 00013616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-28 13:04 - 2009-07-13 20:45 - 00013616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-28 13:01 - 2012-08-26 15:51 - 00000958 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2111497008-2276002318-1748161448-1000UA.job
2012-08-28 12:58 - 2009-07-13 21:13 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-28 12:55 - 2012-08-28 12:55 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-08-28 12:55 - 2009-07-13 20:51 - 00021029 ____A C:\Windows\setupact.log
2012-08-28 12:00 - 2012-08-26 15:30 - 00000828 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2012-08-28 12:00 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-28 04:12 - 2012-08-28 03:57 - 00153053 ____A C:\Windows\System32\Drivers\klin.dat
2012-08-28 04:12 - 2012-08-28 03:57 - 00107384 ____A C:\Windows\System32\Drivers\klick.dat
2012-08-28 03:56 - 2012-08-28 03:56 - 00615728 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\klif.sys
2012-08-28 03:53 - 2012-08-28 03:53 - 00009249 ____A C:\ComboFix.txt
2012-08-28 03:50 - 2012-08-26 16:09 - 00077980 ____A C:\Windows\PFRO.log
2012-08-28 03:50 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-08-28 03:39 - 2012-08-28 03:38 - 04738472 ____R (Swearware) C:\Users\Ratko\Desktop\ComboFix.exe
2012-08-27 16:01 - 2012-08-26 15:51 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2111497008-2276002318-1748161448-1000Core.job
2012-08-27 15:00 - 2012-08-27 15:00 - 00007605 ____A C:\Users\Ratko\AppData\Local\Resmon.ResmonCfg
2012-08-27 14:46 - 2012-08-27 14:46 - 00017408 ____A C:\Users\Ratko\AppData\Local\WebpageIcons.db
2012-08-27 14:17 - 2012-08-27 14:17 - 02193184 ____A C:\Users\Ratko\Desktop\tdsskiller.zip
2012-08-27 13:14 - 2012-08-27 13:14 - 00002044 ____A C:\Users\Ratko\Desktop\aswMBR.txt
2012-08-27 13:14 - 2012-08-27 13:14 - 00000512 ____A C:\Users\Ratko\Desktop\MBR.dat
2012-08-27 13:06 - 2012-08-27 13:06 - 04731392 ____A (AVAST Software) C:\Users\Ratko\Desktop\aswMBR.exe
2012-08-27 01:03 - 2009-07-13 21:38 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2012-08-27 01:03 - 2009-07-13 21:32 - 00028672 ____A C:\Windows\System32\config\BCD-Template
2012-08-26 17:04 - 2012-02-09 06:24 - 00044992 ____A C:\Windows\System32\Drivers\ISCTD64.sys
2012-08-26 16:52 - 2012-08-26 16:52 - 00000000 ____A C:\Users\Ratko\Desktop\ark.txt
2012-08-26 16:46 - 2012-08-26 16:46 - 00294216 ____A C:\Users\Ratko\Desktop\gmer.zip
2012-08-26 16:45 - 2012-08-26 16:45 - 00012387 ____A C:\Users\Ratko\Desktop\DDS.txt
2012-08-26 16:45 - 2012-08-26 16:45 - 00003178 ____A C:\Users\Ratko\Desktop\Attach.txt
2012-08-26 16:43 - 2012-08-26 16:43 - 00607260 ____R (Swearware) C:\Users\Ratko\Desktop\dds.com
2012-08-26 15:53 - 2012-08-26 15:53 - 00002329 ____A C:\Users\Ratko\Desktop\Google Chrome.lnk
2012-08-26 15:52 - 2012-08-26 15:52 - 90098552 ____A C:\Users\Ratko\Downloads\avira_free_antivirus_en.exe
2012-08-26 15:32 - 2012-08-26 15:32 - 00000000 ____A C:\Users\Ratko\agent.log
2012-08-26 15:32 - 2012-08-26 15:30 - 00000830 ____A C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2012-08-26 15:25 - 2012-08-26 15:25 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_iusb3hcs_01009.Wdf
2012-08-26 15:10 - 2012-08-26 15:10 - 00000195 ____A C:\Windows\DirectX.log
2012-08-26 15:09 - 2012-08-26 15:09 - 00057560 ____A C:\Users\Ratko\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-26 15:08 - 2012-08-26 15:08 - 00000020 ___SH C:\Users\Ratko\ntuser.ini
2012-08-26 15:05 - 2012-08-26 15:05 - 00001313 ____A C:\Windows\TSSysprep.log
2012-08-26 15:05 - 2009-07-13 20:46 - 00001774 ____A C:\Windows\DtcInstall.log
2012-08-26 15:04 - 2012-08-26 15:04 - 00000000 ____A C:\Windows\ativpsrm.bin
2012-08-26 15:04 - 2009-07-13 20:45 - 00274320 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-02 14:19 - 2012-08-26 16:02 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-08-26 16:02 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-08-26 16:02 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-08-26 16:02 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-08-26 16:02 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-08-26 16:02 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-08-26 16:02 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 05:19 - 2012-08-26 16:02 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 05:15 - 2012-08-26 16:02 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 02:25 - 2012-08-26 15:54 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-26 15:09:07
Restore point made on: 2012-08-26 15:09:14
Restore point made on: 2012-08-26 15:09:19
Restore point made on: 2012-08-26 15:09:26
Restore point made on: 2012-08-26 15:09:35
Restore point made on: 2012-08-26 15:09:58
Restore point made on: 2012-08-26 15:10:04
Restore point made on: 2012-08-26 15:10:12
Restore point made on: 2012-08-26 15:11:28
Restore point made on: 2012-08-26 15:24:51
Restore point made on: 2012-08-26 15:54:10
Restore point made on: 2012-08-26 16:02:23
Restore point made on: 2012-08-26 16:09:11
Restore point made on: 2012-08-27 03:25:17
Restore point made on: 2012-08-27 03:27:10

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4044.81 MB
Available physical RAM: 3462.79 MB
Total Pagefile: 4042.96 MB
Available Pagefile: 3456.36 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions ============================

1 Drive c: (SSD) (Fixed) (Total:111.69 GB) (Free:88.81 GB) NTFS
2 Drive d: (Arhiva1) (Fixed) (Total:98.64 GB) (Free:63.75 GB) NTFS
3 Drive e: (Arhiva2) (Fixed) (Total:273.97 GB) (Free:209.34 GB) NTFS
5 Drive h: (nolabel) (Removable) (Total:3.76 GB) (Free:1.42 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 111 GB 0 B
Disk 1 Online 372 GB 9 MB
Disk 2 Online 3853 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 111 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C SSD NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 98 GB 31 KB
Partition 0 Extended 273 GB 98 GB
Partition 2 Logical 273 GB 98 GB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Arhiva1 NTFS Partition 98 GB Healthy

==================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E Arhiva2 NTFS Partition 273 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3853 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-27 05:22

==================== End Of Log =============================

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:33 PM

Posted 28 August 2012 - 04:59 PM

Also, do you boot into Windows XP at all, or are you just using the drive that it happens to contain?


So long, and thanks for all the fish.

 

 


#11 Nemo_one

Nemo_one
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 August 2012 - 05:22 PM

no i dont boot in windows xp - im just using that hard drive for file archive.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:33 PM

Posted 29 August 2012 - 02:17 PM

Good evening. :)

It looks like you have a standard MBR then . Please follow the instructions here to replace the infected one on your main drive.

Unless you boot from a drive there is no risk posed by an infected MBR, so you don't really need to concern yourself with the other detections, but we can fix those once you have the main one resolved. Let me know how you get on.

So long, and thanks for all the fish.

 

 


#13 Nemo_one

Nemo_one
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 30 August 2012 - 03:53 PM

Hi,
I followed the instructions and succesfully updated ntfs file system bootcode and disk bootcode (Hardisk0\DR0).
Can we fix the boot sectors on other drive? Since that was the mbr source for B00/Wistler infection.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:33 PM

Posted 31 August 2012 - 02:24 PM

Good evening. :)

Technically as you do not boot from the second hard drive, the master boot record is never accessed and so it poses no threat to your system. Will you just confirm for me that your scanner no longer flags the first mbr as infected.

So long, and thanks for all the fish.

 

 


#15 Nemo_one

Nemo_one
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 06 September 2012 - 02:34 PM

Hi!

Avira is no longer reporting the threat, although after the boot sector repair, ive used tdskiller and it found B00/wistler and removed it.
Everything seems to be clear now and working.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users