Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HERE IS THE WORST INFECTED COMPUTER I HAVE SEEN


  • Please log in to reply
1 reply to this topic

#1 Andy63

Andy63

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southport,NC
  • Local time:01:37 PM

Posted 27 February 2013 - 10:57 AM

This is a clients computer which was giving me a BSOD of 7b and second Hex 034 which indicates a bad boot drive. Under further review I suspected machine to have an invalid or tampered BIOS. I could not do a clean install with original drive,or a formatted new drive kept getting same BSOD codes. Client had another computer so I the plan was to setup new PC with his old personal files,Favorites and such.....As a practice I always scan a drive before moving contents and after running Malwarebytes Pro on such dirve I was shocked to find the following:

 

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.27.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andrew :: ARF-PC [administrator]

Protection: Disabled

2/27/2013 12:46:21 AM
MBAM-log-2013-02-27 (10-21-52).txt

Scan type: Full scan (H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 393608
Time elapsed: 45 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 48
H:\Documents and Settings\nw.NBSAW\3231745.exe (Trojan.FakeMS) -> No action taken.
H:\Documents and Settings\nw.NBSAW\bifanyjumfuj.exe (Trojan.Ransom.Gen) -> No action taken.
H:\Documents and Settings\nw.NBSAW\cyjuguhuvurf.exe (Trojan.Ransom.Gen) -> No action taken.
H:\Documents and Settings\nw.NBSAW\neecir.exe (Worm.Obfuscated) -> No action taken.
H:\Documents and Settings\nw.NBSAW\seeove.exe (Worm.Obfuscated) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Application Data\avsvci.dll (Trojan.Dropper.DU) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Application Data\nedgec.dll (Trojan.Medfos) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Application Data\Protector-tfuc.exe (Rogue.FakeAV) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Application Data\wumsr.dll (Trojan.Medfos) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Application Data\Gosete\zyib.exe (Trojan.Zbot.RH) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Application Data\Symantec\Shopping Sidekick Plugin\xwhrjpm.dll (Trojan.Tracur) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\0.39417160931368156 (Trojan.Happili) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\0.6495704448111773 (Trojan.Happili) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmp442b23ab\6351.exe (Worm.Obfuscated) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmp7129bdb2\6351.exe (Worm.Obfuscated) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmp7f883f28\a3.exe (Trojan.Ransom.Gen) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmp98d90035\load50.exe (Trojan.Ransom.Gen) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmp9aaf26fa\2973.exe (Worm.Obfuscated) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmp9cd28a8a\load57.exe (Trojan.Ransom.Gen) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmp9f8c546e\load7.exe (Trojan.Agent) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmpa859cd1a\5365.exe (Worm.Obfuscated) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmpafe92caa\4779.exe (Trojan.Agent) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmpb6efbaab\load2.exe (Trojan.VBKrypt) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmpbe7741cc\2017.exe (Worm.Obfuscated) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmpc56ed76c\load38.exe (Trojan.Ransom.Gen) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmpd278bbf7\7690.exe (Trojan.VB) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\tmpf97f4678\load50.exe (Trojan.Ransom.Gen) -> No action taken.
H:\Documents and Settings\nw.NBSAW\Local Settings\Temp\xwhrjpm\xwhrjpm.dll (Trojan.Tracur) -> No action taken.
H:\Program Files\Shopping Sidekick Plugin\Shopping Sidekick Plugin-bg.exe (PUP.215Apps) -> No action taken.
H:\Program Files\Shopping Sidekick Plugin\Shopping Sidekick Plugin.dll (PUP.215Apps) -> No action taken.
H:\Program Files\Shopping Sidekick Plugin\Shopping Sidekick Plugin.exe (PUP.215Apps) -> No action taken.
H:\Program Files\Shopping Sidekick Plugin\Shopping Sidekick PluginGui.exe (PUP.215Apps) -> No action taken.
H:\Program Files\Shopping Sidekick Plugin\Uninstall.exe (PUP.215Apps) -> No action taken.
H:\RECYCLER\S-1-5-18\$faa5677541fda1dedc683b2d27f473a8\n (Trojan.0Access) -> No action taken.
H:\RECYCLER\S-1-5-18\$faa5677541fda1dedc683b2d27f473a8\U\00000004.@ (Rootkit.Zaccess) -> No action taken.
H:\RECYCLER\S-1-5-18\$faa5677541fda1dedc683b2d27f473a8\U\000000cb.@ (Rootkit.0Access) -> No action taken.
H:\RECYCLER\S-1-5-18\$faa5677541fda1dedc683b2d27f473a8\U\80000000.@ (Trojan.0Access) -> No action taken.
H:\RECYCLER\S-1-5-21-1447862761-1007041216-543773193-1148\$faa5677541fda1dedc683b2d27f473a8\n (Trojan.0Access) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP417\A0034916.exe (Trojan.Agent.SZ) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP423\A0035133.exe (Worm.Obfuscated) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP423\A0035134.exe (Worm.Obfuscated) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP425\A0035840.exe (Worm.Obfuscated) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP425\A0035841.exe (Worm.Obfuscated) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP427\A0035971.exe (Trojan.Zbot) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP431\A0036141.exe (Worm.Obfuscated) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP433\A0036836.exe (Worm.Obfuscated) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP434\A0036864.exe (Worm.Obfuscated) -> No action taken.
H:\System Volume Information\_restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP437\A0038904.ini (Trojan.0access) -> No action taken.

(end)

I know he has a remote server from his business and my guess this was spread from VB file as a carrier.


Edited by hamluis, 27 February 2013 - 11:32 AM.
Moved from Malware Removal Logs (no logs) to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 caperjac

caperjac

  • Members
  • 1,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NS. CAN
  • Local time:03:37 PM

Posted 27 February 2013 - 09:40 PM

wow ,

 

its been awhile but i think i had some just as bad or worse a few years back


My answers are my opinion only,usually





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users