Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Gromozon (Rootkit) Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 GreyViper

GreyViper

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Brisbane, Queensland, Australia
  • Local time:06:56 AM

Posted 02 December 2012 - 01:15 PM

I ran a scan of SuperAntiSpyware and it found 5 files in Favorites folder containing the above infection. I selected the delete option and it removed the files. As these files were in the favorites folder for IE which I don't generally use (I prefer Firefox) I decided to delete all files and folders in the favorites folder. However, there was one directory that it could not remove. I went in to DOS to try and remove the folder but It said it could not find the folder. The folder shows as empty in Microsoft Explorer but it can not be removed. I suspect this is related to the Trojan. I have run a further scan with SuperAntiSpyware and also with MalwareBytes and they both show as clean but I am concerned that there is still something there. I'm still running Windows XP on this machine. Please advise.

GreyViper


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Mark at 3:54:08 on 2012-12-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.794 [GMT 10:00]
.
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://au.yahoo.com/?cmp=hps
uURLSearchHooks: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:149
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: NameServer = 61.9.211.33 61.9.211.1
TCP: Interfaces\{EAC8B90B-5E16-471E-9C35-F9F082B654B1} : DHCPNameServer = 61.9.211.33 61.9.211.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mark\application data\mozilla\firefox\profiles\r5rm76rl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\Npindeo.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.newTab - false
FF - user.js: extensions.zonealarm.tlbrSrchUrl -

hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN41583786292539-1043&toolbarId=base&affiliateId=1042&Lan={dfltLng}&utid=2877fcc90000000000000014850c3e4f&q=
FF - user.js: extensions.zonealarm.id - 2877fcc90000000000000014850c3e4f
FF - user.js: extensions.zonealarm.instlDay - 15536
FF - user.js: extensions.zonealarm.vrsn - 1.5.24.4
FF - user.js: extensions.zonealarm.vrsni - 1.5.24.4
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.24.419:15:15
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1042
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN41583786292539-1043
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2008-9-28 40496]
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-10-14 133208]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-16 64288]
R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2006-9-24 72192]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-10-14 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-9-21 485808]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 67664]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-6-21 526640]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-16 116608]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-7-25 27016]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-7-25 497280]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-11-22 3290304]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2006-9-24 1287296]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2011-7-25 36744]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [2009-9-29 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [2009-9-29 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [2009-9-29 12928]
S2 gupdate1c9d065c67208ea;Google Update Service (gupdate1c9d065c67208ea);c:\program files\google\update\GoogleUpdate.exe [2009-5-9 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2012-8-9 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2012-8-9 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2012-8-9 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2012-8-9 25088]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\joshua\locals~1\temp\cdiskdun.sys --> c:\docume~1\joshua\locals~1\temp\cdiskdun.sys [?]
S3 HcPvrUSB;HcPvrUSB.sys Homecast PVR USB driver 2.0.1;c:\windows\system32\drivers\HcPvrUSB.sys [2009-5-2 17664]
S3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32 [2009-3-8 17912]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 12872]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2007-2-11 705152]
.
=============== File Associations ===============
.
ShellExec: QSync.exe: Open="c:\program files\logitech\video\QSync.exe"
.
=============== Created Last 30 ================
.
2012-12-02 12:56:37 -------- d-----w- c:\documents and settings\mark\Trojan
2012-11-08 05:09:52 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-11-08 05:09:52 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-11-08 05:09:52 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-11-08 05:09:52 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-11-08 05:09:52 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-11-08 05:09:52 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-11-08 05:09:52 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-11-08 05:03:54 -------- d-----w- c:\program files\iPod
2012-11-08 05:03:49 -------- d-----w- c:\program files\iTunes
2012-11-08 05:03:49 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
.
==================== Find3M ====================
.
2012-11-20 08:35:36 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-20 08:35:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-24 17:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-24 17:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 09:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-24 13:16:36 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-04 07:50:39 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-04 07:50:39 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-04 07:50:38 746984 ----a-w- c:\windows\system32\deployJava1.dll
2004-03-11 03:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
============= FINISH: 3:56:23.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 05 December 2012 - 10:11 AM

Hi GreyViper

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

White Warrior

#3 GreyViper

GreyViper
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Brisbane, Queensland, Australia

Posted 06 December 2012 - 12:06 AM

Thanks White Warrior, I'm all yours! I await your response. Thanks for your help.

Grey Viper.

#4 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 06 December 2012 - 10:41 PM

Hi GreyViper

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Let me know how the computer is running now.

White Warrior

#5 GreyViper

GreyViper
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Brisbane, Queensland, Australia
  • Local time:06:56 AM

Posted 07 December 2012 - 06:18 AM

Hi White Warrior,
The computer is runnung ok. My main concern is that SuperAntiSpyware found a bunch of Rootkit files in one of the directories of the Favorites folder under my folder in the Documents and Settings folder on the C drive. It deleted all of the shortcut files under that directory and all seemed ok. As I don't use IE as my browser - I use Firefox - I decided to delete all of the shortcut folders and files because the date modifed was only a couple of days ago which I thought was very strange as some of them were very old links. Then I realized that they were a copy of my Bookmarks from Firefox so I proceeded to delete them all using Microsoft Explorer. However, there was one folder that it could not delete respoding with 'Access Denied'. Therefore I decided to use the DOS commands to delete this folder. I drilled down to the appropriate folder and tried to Remove the Directory using the RD command but it responds with "Access is denied. The system cannot find the file specified. Also I can't change to this directory using the CD command. It responds with Access is denied. This made me a bit suspicious of this folder and I wondered if the rootkit was still in my system. I have attached the contents of the log file from the aswMBR scan.



aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-07 15:58:50
-----------------------------
15:58:50.562 OS Version: Windows 5.1.2600 Service Pack 3
15:58:50.562 Number of processors: 2 586 0x304
15:58:50.562 ComputerName: MARKS-COMPUTER UserName: Mark
15:59:02.203 Initialize success
16:06:16.437 AVAST engine defs: 12120602
16:06:48.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
16:06:48.921 Disk 0 Vendor: WDC_WD2500JS-00NCB1 10.02E02 Size: 238475MB BusType: 3
16:06:48.921 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
16:06:48.921 Disk 1 Vendor: ST3200822AS 3.01 Size: 174290MB BusType: 3
16:06:48.921 Disk 0 MBR read successfully
16:06:48.937 Disk 0 MBR scan
16:06:48.984 Disk 0 unknown MBR code
16:06:48.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 40962 MB offset 63
16:06:49.000 Disk 0 Partition - 00 0F Extended LBA 197510 MB offset 83891430
16:06:49.015 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 30718 MB offset 83891493
16:06:49.031 Disk 0 Partition - 00 05 Extended 40962 MB offset 146801970
16:06:49.062 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 40962 MB offset 146802033
16:06:49.078 Disk 0 Partition - 00 05 Extended 125829 MB offset 293603940
16:06:49.093 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 125829 MB offset 230693463
16:06:49.109 Disk 0 scanning sectors +488392065
16:06:49.218 Disk 0 scanning C:\WINDOWS\system32\drivers
16:07:11.937 Service scanning
16:07:30.625 Modules scanning
16:07:38.312 Disk 0 trace - called modules:
16:07:38.328 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:07:38.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aaddab8]
16:07:38.328 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000075[0x8ab28f18]
16:07:38.328 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8ab36ad0]
16:07:38.562 AVAST engine scan C:\
19:38:34.906 Scan finished successfully
19:52:44.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mark\Desktop\MBR.dat"
19:52:44.640 The log file has been saved successfully to "C:\Documents and Settings\Mark\Desktop\aswMBR.txt"


Thanks GreyViper.

#6 GreyViper

GreyViper
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Brisbane, Queensland, Australia

Posted 07 December 2012 - 07:37 AM

White Warrior,
I fordot to mention, I could not remove the directory but I was able to move the directory. The problem directory now resides in the folder
C:\Documents and Settings\Mark\Trojan\Camping

The directory "Trojan" is a directory I created and the directory "Camping" is the problem directory. It had a sub directory called "Aux. Battery Wiring" which I also couldn't remove but I was able to get rid of it using the rmdir command with the /S switch. I have copied an example of the directory commands that I have input using a command box. I have not tried to remove the "Camping" directory using the rd /S command as yet. I thought I would await instructions from you.
I'll wait till I hear back from you.
GreyViper.

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Mark>dir
Volume in drive C is BOOT DISK
Volume Serial Number is 2877-FCC9

Directory of C:\Documents and Settings\Mark

07/12/2012 10:21 AM <DIR> .
07/12/2012 10:21 AM <DIR> ..
28/08/2010 06:18 PM <DIR> .dvdcss
25/06/2008 03:03 PM <DIR> Contacts
07/12/2012 07:52 PM <DIR> Desktop
24/08/2012 11:02 PM <DIR> Downloads
02/12/2012 10:17 PM <DIR> Favorites
08/08/2012 05:49 PM <DIR> JUNK
05/12/2012 11:13 AM <DIR> My Documents
07/12/2012 10:23 AM 17,563,648 ntuser.dat
19/07/2011 09:32 PM 697 PCTuneUp.config
23/11/2008 10:40 PM <DIR> Start Menu
07/12/2012 03:10 PM <DIR> Tracing
02/12/2012 10:57 PM <DIR> Trojan
11/02/2007 01:27 PM <DIR> WINDOWS
2 File(s) 17,564,345 bytes
13 Dir(s) 3,886,587,904 bytes free

C:\Documents and Settings\Mark>cd Trojan

C:\Documents and Settings\Mark\Trojan>dir
Volume in drive C is BOOT DISK
Volume Serial Number is 2877-FCC9

Directory of C:\Documents and Settings\Mark\Trojan

02/12/2012 10:57 PM <DIR> .
02/12/2012 10:57 PM <DIR> ..
07/12/2012 09:35 PM <DIR> Camping
0 File(s) 0 bytes
3 Dir(s) 3,886,587,904 bytes free

C:\Documents and Settings\Mark\Trojan>cd Camping

C:\Documents and Settings\Mark\Trojan\Camping>dir
Volume in drive C is BOOT DISK
Volume Serial Number is 2877-FCC9

Directory of C:\Documents and Settings\Mark\Trojan\Camping

07/12/2012 09:35 PM <DIR> .
07/12/2012 09:35 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 3,886,587,904 bytes free

C:\Documents and Settings\Mark\Trojan\Camping>dir
Volume in drive C is BOOT DISK
Volume Serial Number is 2877-FCC9

Directory of C:\Documents and Settings\Mark\Trojan\Camping

07/12/2012 09:35 PM <DIR> .
07/12/2012 09:35 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 3,886,587,904 bytes free

C:\Documents and Settings\Mark\Trojan\Camping>cd ..

C:\Documents and Settings\Mark\Trojan>dir
Volume in drive C is BOOT DISK
Volume Serial Number is 2877-FCC9

Directory of C:\Documents and Settings\Mark\Trojan

02/12/2012 10:57 PM <DIR> .
02/12/2012 10:57 PM <DIR> ..
07/12/2012 09:35 PM <DIR> Camping
0 File(s) 0 bytes
3 Dir(s) 3,886,587,904 bytes free

C:\Documents and Settings\Mark\Trojan>rd Camping
The process cannot access the file because it is being used by another process.

C:\Documents and Settings\Mark\Trojan>

This is what I am worried about. I hope this helps. Thank you.

#7 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 09 December 2012 - 10:47 PM

Hi GreyViper

That scan was a rootkit scan and it is clear.

The folder that is worrying you---C:\Documents and Settings\Mark\Trojan\Camping

It is an empty folder. It shows 0 File(s) 0 bytes
2 Dir(s)
If you wish to delete it, then please make a copy of it on an external device such as a USB stick or a disk, then delete it.
Reboot the computer and see if there is any difference to its performance.

Can you please post the SAS log showing what was deleted.

White Warrior

#8 GreyViper

GreyViper
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Brisbane, Queensland, Australia
  • Local time:06:56 AM

Posted 10 December 2012 - 06:13 AM

Hi White Warrior,
This time I was able to delete the directory ... Trojan/Camping and then the parent directory ... Trojan simply using Microsoft explorer. This would not work on the few previous times that I had tried it. I don't know why that would be? I have enclosed the SAS log below for your information. I'm starting to think that the original detection of this Trojan may have been a false positive. What do you think?
Thank you for your time and I'm sorry if I have taken up your time unnecessarily. I am always a bit paranoid when it comes to Trojans. Hopefully my system is now clear of these.

GreyViper



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2012 at 03:06 PM

Application Version : 5.6.1014

Core Rules Database Version : 9669
Trace Rules Database Version: 7481

Scan type : Complete Scan
Total Scan Time : 01:01:43

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 580
Memory threats detected : 0
Registry items scanned : 41718
Registry threats detected : 0
File items scanned : 68578
File threats detected : 98

Adware.Tracking Cookie
C:\Documents and Settings\Mark\Cookies\HMZBCXRL.txt [ /atdmt.combing.com ]
C:\Documents and Settings\Mark\Cookies\JZISB2PW.txt [ /msnportal.112.2o7.net ]
C:\DOCUMENTS AND SETTINGS\ADMIN1\Cookies\RC1PTXFD.txt [ Cookie:admin1@lucidmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMIN1\Cookies\Y1TXXTQM.txt [ Cookie:admin1@atdmt.combing.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMIN1\Cookies\HNGA90HG.txt [ Cookie:admin1@invitemedia.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMIN1\Cookies\TU6SN4A2.txt [ Cookie:admin1@media6degrees.com/ ]
C:\DOCUMENTS AND SETTINGS\DEBBIE\Cookies\B0ZEZR6I.txt [ Cookie:debbie@atdmt.combing.com/ ]
C:\DOCUMENTS AND SETTINGS\DEBBIE\Cookies\66N94H66.txt [ Cookie:debbie@invitemedia.com/ ]
C:\DOCUMENTS AND SETTINGS\DEBBIE\Cookies\DUUW78RA.txt [ Cookie:debbie@msnportal.112.2o7.net/ ]
C:\DOCUMENTS AND SETTINGS\DEBBIE\Cookies\SJHPCC1D.txt [ Cookie:debbie@media6degrees.com/ ]
C:\DOCUMENTS AND SETTINGS\DEBBIE\Cookies\924MLF7S.txt [ Cookie:debbie@lucidmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\DEBBIE\Cookies\GD204452.txt [ Cookie:debbie@overture.com/ ]
C:\DOCUMENTS AND SETTINGS\DEBBIE\Cookies\WXTW2LTD.txt [ Cookie:debbie@serving-sys.com/ ]
C:\DOCUMENTS AND SETTINGS\JOSHUA\Cookies\OP8S34EG.txt [ Cookie:joshua@atdmt.combing.com/ ]
C:\DOCUMENTS AND SETTINGS\JOSHUA\Cookies\J7T35UO7.txt [ Cookie:joshua@serving-sys.com/ ]
C:\DOCUMENTS AND SETTINGS\JOSHUA\Cookies\RQ7X081X.txt [ Cookie:joshua@msnportal.112.2o7.net/ ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
.kontera.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\ADMIN1\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\AEFAN7A5.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
cruisesalefinder.com.au [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
cruisesalefinder.com.au [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.cruisesalefinder.com.au [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.cruisesalefinder.com.au [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.cruisesalefinder.com.au [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.overture.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.overture.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.overture.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.dealtime.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
stat.dealtime.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.stats.paypal.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\DEBBIE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0SQV1AD0.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.lucidmedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.statcounter.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
ads.saymedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.adserver.adtechus.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.saymedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.lucidmedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.ad.mlnadvertising.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.yieldmanager.net [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.server.cpmstar.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.adxpose.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.flagcounter.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
.bs.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\JOSHUA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CI3OP6MU.DEFAULT\COOKIES.SQLITE ]
ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\MARK\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\AGNA4JRG ]

Trojan.Gromozon (RootKit)
C:\DOCUMENTS AND SETTINGS\MARK\FAVORITES\CAMPING\AUX. BATTERY WIRING\ 4WD SYSTEMS - DUAL BATTERY SYSTEMS .URL
C:\DOCUMENTS AND SETTINGS\MARK\FAVORITES\CAMPING\AUX. BATTERY WIRING\BATTERY POWER @ EXPLOROZ.URL
C:\DOCUMENTS AND SETTINGS\MARK\FAVORITES\CAMPING\AUX. BATTERY WIRING\DUAL BATTERY SYSTEMS.URL
C:\DOCUMENTS AND SETTINGS\MARK\FAVORITES\CAMPING\AUX. BATTERY WIRING\LMC DUAL BATTERY SYSTEMS.URL
C:\DOCUMENTS AND SETTINGS\MARK\FAVORITES\CAMPING\AUX. BATTERY WIRING\TOWING - HARDINGS CARAVAN SERVICES - CARAVAN REPAIRS, SERVICING AND ACCESSORIES MELBOURNE AUSTRALIA.URL


When I ran the clean up with SuperAntiSpyware it removed all of the .URL files in the CAMPING\AUX. BATTERY WIRING directory and these now are held in the Quarantine area of SuperAntiSpyware.

Grey Viper

#9 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 11 December 2012 - 08:25 AM

Hi GreyViper

I'm starting to think that the original detection of this Trojan may have been a false positive. What do you think?

I don't think it's a false positive, but I don't think it's a rootkit either. It is an old virus infection that SAS is quite capable of deleting which it has done.
Make sure you delete everything in the SAS quarantine folder.

Thank you for your time and I'm sorry if I have taken up your time unnecessarily

You are welcome and you have not wasted my time, especially not unnecessarily. This is what we are here for, to help. It is good to be paranoid in today's Internet environment.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Any problems left?

White Warrior.

Edited by White Warrior, 11 December 2012 - 08:26 AM.


#10 GreyViper

GreyViper
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Brisbane, Queensland, Australia
  • Local time:06:56 AM

Posted 11 December 2012 - 11:13 PM

Hi White Warrior, I have run the ESET scan as requested. It took 4 hours! I had an external 1 TerraByte hard drive connected and so it scanned that as well. That is the Y: Drive mentioned in the log file. I have looked at the log file and some of the files that it has removed are quite old. The one on the Y: drive is from my old work PC originally and I haven't been at that job for well over 2 years. However, the scan is done and the items have been quarantined. Should I delete them at some time? Everything is working fine and there doesn't seem to be any problems so is it ok to start to do online banking again on this machine or should I wait a while?
Thanks for you help.
GreyViper.


C:\Documents and Settings\Debbie\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\30\337df21e-73d0c1ae a variant of Java/Exploit.Agent.AI.Gen trojan deleted - quarantined
D:\Downloads\videora-ipodtouch-600-setup.exe Win32/OpenCandy application cleaned by deleting - quarantined
D:\Downloads\Installed Downloads (free)\UBCD4WinV320.exe multiple threats cleaned by deleting - quarantined
D:\Downloads\Installed Downloads (free)\YouTubeDownloaderSetup27.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
D:\Downloads\Installed Downloads (free)\iPod Touch\videora-ipodtouch-504-setup.exe Win32/OpenCandy application cleaned by deleting - quarantined
Y:\NEW Stuff From 80G Maxtor\FROM Work PC\Downloads\firmware_maintenance-7.50-0.iso\firmware_maintenance-7.50-0.iso a variant of Win32/TFTPD32.B application deleted - quarantined

#11 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 12 December 2012 - 09:56 AM

Hi GreyViper

ESet log.
Yes delete everything in quarintine.

Yes it is ok to do online banking again. Your logs look clean.

Now,Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please delete all the files/folders left over from the tools we have run.

Any problems left?

White Warrior

Edited by White Warrior, 12 December 2012 - 09:57 AM.


#12 GreyViper

GreyViper
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Brisbane, Queensland, Australia

Posted 12 December 2012 - 11:26 PM

Hi White Warrior,
I have deleted the quarantined files and created a new restore point. However, when I run Cleanmgr I don't get a "more Options" tab on my version. I'm running XP Home edition sp3. (See the attachment for a view of the window I get when I run Cleanmgr.)
I have loaded some Windows Updates and that has caused two more restore points but I have been unable to delete the older ones. Is that a problem provided I just don't restore them in the future or is it necessary that they be deleted?

GreyViper

Attached Files



#13 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 13 December 2012 - 04:28 PM

Hi GreyViper

To make sure the old restore points have been purged, let's reset them again.
Any restore points that are made after you have finished will be clean and can be left alone.

On the desktop, right-click My Computer > click Properties > click the System Restore tab.
Check Turn off System Restore.
Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.
Please wait a few moments to let it clear.
Now remove the check from Turn off System Restore.
Click Apply, and then click OK.

Now some preventative steps to ensure you don't get infected again:

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, read this tutorial and follow each of the steps:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

Happy Surfing.

White Warrior

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:56 AM

Posted 19 December 2012 - 03:26 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users