Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP hit with Ransom virus- need help


  • Please log in to reply
23 replies to this topic

#1 Jona123

Jona123

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 28 October 2013 - 10:43 PM

I was infected this morning with the ICE Ransom Virus.

I have a Dell running windows XP Home Edition sp3 and have ZoneAlarm that is running all the time.

I have followed the steps outlined and got thru step 9.

I in step 10 the HitmanPro screen never showed after about 2-3 minutes.

I now get an error

MBR Read

"Couldn't open drive multi(0)disk(0)partition(2)"

"NTLDR: Couldn't open drive multi(0)disk(0)partition(2)"

 

I tried to reload Hitmanpro to the USB drive from an ancient Dell Lattitude laptop.

 

My questions are:

I downloaded the hitmanpro to the USB drive on the infected computer using Safe mode with networking? 

Is it possible the virus tagged along?

 

I looked at the USB drive from my mac and there is nothing on it.

I tried to restore from a previous Store point but that was unsuccessful, the restore moves along for a minute or so and then exits.

 

Bought a new USB and loaded Hitman PRO and same result.

Was able to boot off USB on a Dell Latitude laptop

The USB actually had HitManPro_x64 and it seems the _x32 does not download. (read on the laptop)

 

used a CD from Surfright

Using the CD did not change the results.

On selecting option 2 receive

"Couldn't open drive multi(0)disk(0)partition(2)"

"NTLDR: Couldn't open drive multi(0)disk(0)partition(2)"

"Loading PBR for descriptor 2...done."

 

Cannot run DDS because cannot get past ransom notice to download.



BC AdBot (Login to Remove)

 


#2 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 31 October 2013 - 09:49 AM

It has been

I ran option 3 and was able to get Hitman to run and it removed the 2 malware and 2 Trojans that got past ZoneAlarm.

 

On reboot my "normal" desktop is not displayed.  I get a command.exe box that says the malware is an invalid file.

I close the window and wait and nothing happens.  Getting into task manager vsmon.exe is taking up 193,456 of memory, no applications show as running.

Suggestions on next steps, would be appreciated.

 

DDS downloaded and ran.


Edited by Jona123, 31 October 2013 - 12:04 PM.


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:03 PM

Posted 31 October 2013 - 10:42 AM

Hey Jona123,

 

On task manager you should see file at the top, click on that and then you should see a dropdown menu with New Task (Run...) on it. Click on run and in the windows that appears type explorer and press OK. You should now see your desktop; tell me if you get this far, or if you have any problems.

 

vsmon.exe is part of ZoneAlarm, just to let you know. 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 31 October 2013 - 11:38 AM

Thank you xXToffeeXx for your response

 

I assume you meant in boot in normal mode and at task manager I followed your instructions and have my desktop back, YEA!!!

Recommended next steps?



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:03 PM

Posted 31 October 2013 - 12:02 PM

Hello Jona123,

 

I noticed you have posted DDS logs in this topic. This log is not allowed in AII, but I am willing to direct you to the correct forum where the logs should be posted. Just to let you know, running explorer is not permanent, and if you reboot then you need to follow the steps I gave you again.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 31 October 2013 - 12:06 PM

I removed the log entry.  To rebuild my cmd.exe what step should I do.  I assume edit the startup.  I would appreciate advise.



#7 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 31 October 2013 - 12:09 PM

Another question, Hitman scans C: only it appears but my backup drive (a 1T usb drive) was connected at time of infection, what can or should I do to scan that drive?



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:03 PM

Posted 31 October 2013 - 12:26 PM

Hi Jona123,

 

I removed the log entry.  To rebuild my cmd.exe what step should I do.  I assume edit the startup.  I would appreciate advise.

We will deal with that by editing the registry, and explorer is not to do with cmd. They are different matters.

 

Another question, Hitman scans C: only it appears but my backup drive (a 1T usb drive) was connected at time of infection, what can or should I do to scan that drive?

I will provide scans for you to check for infection after we have sorted the explorer issue out.

 

The following steps involve editing the registry, we need to make a backup first:

 

We need to run a registry backup with ERUNT:

Before we continue making any changes to your machine, we need to back up your current registry configuration.

  • Click here to open the download page for ERUNT
  • Scroll down to the Download ERUNT: section and choose a download server for erunt-setup.exe
  • Save the file to your desktop
  • Run erunt-setup.exe to install the application on your computer
  • Click Next on each screen accepting the defaults, click Install
  • Choose whether or not to run ERUNT at startup (recommended)
  • Untick Show Documentation and click Finish to launch ERUNT
    (it can also be run from Start > Program Files > ERUNT > ERUNT)
  • Click Ok on the dialog box, select the folder for ERUNT to backup to (default recommended)
    (a warning might appear if the folder does not exist, click yes to create it)
  • ERUNT will run and a message will notify that you that the backup is complete

Note: alternatively you can run the version without an installer by downloading erunt.zip, extracting the contents to a directory of your choice, and running ERUNT.EXE

 

---------------

 

We need to run a registry script:

  • Click on the Start button, then Run...
  • In the box that appears, type notepad and press Enter

Next:

  • Copy and paste the following text into the notepad document:

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"
  • Click on File, then Save As...
  • Click on your Desktop as the save location, then in the file name box type: fix.reg.
  • Click save and close the notepad document.
  • Double-click the file fix.reg on your desktop.
    Note: If prompted by User Account Control, select Yes or Allow so the fix can continue.
  • A message will appear about adding information into the registry, click Yes when prompted.
  • A prompt should appear that the information was added successfully.
    Note: If not, please note the error message and post it in your next reply.
  • Right-click on fix.reg and click Delete, then click Yes to confirm.

 

---------------

 

Export a registry key using a batch script:

  • Copy and paste the following text into the notepad document:
@echo off 
del "%userprofile%\desktop\look.txt" 
REG QUERY "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon" /v shell > "%userprofile%\desktop\look.txt" 
notepad "%userprofile%\desktop\look.txt"
  • Click on File, then Save As...
  • Click on your Desktop as the save location, then in the file name box type: find.bat
  • Click save and close the notepad document.
  • Double-click the file find.bat on your desktop.
  • A notepad file should open, copy and paste the contents into your next reply.
  • Right-click on find.bat and click Delete, then click Yes to confirm.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 31 October 2013 - 01:00 PM

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    shell    REG_SZ    explorer.exe

 

edit: the insert was successful


Edited by Jona123, 31 October 2013 - 01:27 PM.


#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:03 PM

Posted 31 October 2013 - 01:45 PM

Hi Jona123,
 
Good, the reg fix worked, and now explorer should start up normally.
 
I would like you to run some other programs to check for any leftovers of the malware. Feel free to plug your external drive and I will provide instructions to scan the external drive as well as your computer:
 
===================================================

Malwarebytes Including External Devices

--------------------
 
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download. You can also right click on the link and select Save Link As
  • Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
      For instructions with screenshots, please refer to this Guide.
    • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version .
    • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • Under the Scanner tab, make sure the "Perform Full Scan" option is selected.
    • Click on the Scan button.
    • Place an additional check mark next to any attached external devices
    • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked and then click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
 
===================================================

ESET Online Scanner Including External Drives

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop and Select Run
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
    • In the Current scan targets line click Change...
    • Place an additional check mark next to any attached external drives
    • Click OK, then Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.
===================================================

Autoruns

--------------------
 
Please download Autoruns.
 
Open Downloads in your browser and click on the Autoruns download.
 
Click on Run to initiate the installation.
 
When Autoruns loads you will see an image similar to the one below.
 
autorunsscreen_zps2ac55e2e.png

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 31 October 2013 - 02:30 PM

Just FYI before we get too far, I rebooted in regular mode (not safe) and had to execute the explorer from task manager.  The cmd.exe popped up first with the message:

"Microsoft Windows XP [Version 5.1.2600]

<C> Copyright 1985-2001 Microsoft Corp.

'"C:\DOCUME~1\JONAND~1\LOCALS~1\Temp\fvJcrgR0.exe" is not recognized as an internal or external command, operable program or batch file.

 

This is a good thing because that was the name of the malware that cause all this and was disabled by Hitman.

 

Hopefully the steps above will rectify this.



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:03 PM

Posted 31 October 2013 - 02:43 PM

Hi Jona123,

 

Just FYI before we get too far, I rebooted in regular mode (not safe) and had to execute the explorer from task manager.  The cmd.exe popped up first with the message:

"Microsoft Windows XP [Version 5.1.2600]

<C> Copyright 1985-2001 Microsoft Corp.

'"C:\DOCUME~1\JONAND~1\LOCALS~1\Temp\fvJcrgR0.exe" is not recognized as an internal or external command, operable program or batch file.

 

This is a good thing because that was the name of the malware that cause all this and was disabled by Hitman.

 

Hopefully the steps above will rectify this.

Yes, that is caused by remaining registry keys that the malware was using to load itself which Hitman did not remove. The tools will probably clean it up, or the scan I asked for will tell us from where it is running from.

 

Some of them may take a little while to run, so please be patient.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 31 October 2013 - 09:47 PM

Nearly 6 hours later, name replaced with xxx  xxxxxxxx in the logs

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.31.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
xxx xxxxxxxxx :: DELLINOFFICE [administrator]

10/31/2013 12:50:04 PM
mbam-log-2013-10-31 (12-50-04).txt

Scan type: Full scan (C:\|G:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 525271
Time elapsed: 6 hour(s), 32 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 18
HKCR\CLSID\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> Quarantined and deleted successfully.
HKCR\*\shellex\ContextMenuHandlers\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> Quarantined and deleted successfully.
HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKCR\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Updater.AmiUpd.1 (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Updater.AmiUpd (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browsersafeguard (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
HKCR\MyWaySearchAssistantDE.Auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKCR\MyWaySearchAssistantDE.Auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\BROWSERSAFEGUARD (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3317127 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{5F520D40-805B-4169-BB2B-40E37EE57701} (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F520D40-805B-4169-BB2B-40E37EE57701} (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5F520D40-805B-4169-BB2B-40E37EE57701} (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5F520D40-805B-4169-BB2B-40E37EE57701} (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinlogoN|Shell (PUM.Shell.CMD) -> Data: cmd.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Browsersafeguard|sourceid (PUP.Optional.BrowserSafeGuard.A) -> Data: google_browsersafeguard-display-us-bleeping-728x90-36639128953 -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{5F520D40-805B-4169-BB2B-40E37EE57701} (PUP.Optional.WhiteSmoke.A) -> Data: @
R_[€iA»+@ã~åw -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{5F520D40-805B-4169-BB2B-40E37EE57701} (PUP.Optional.WhiteSmoke.A) -> Data: WhiteSmoke New V.13 Toolbar -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 16
C:\Documents and Settings\Administrator\Application Data\SwvUpdater (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BrowserSafeguard (PUP.Optional.BrowserSafeGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\plugins (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\xpi\defaults (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\xpi\defaults\preferences (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Conduit\IE (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Conduit\IE\CT3317127 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_New_V.13 (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_New_V.13\Logs (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon  Anderson\Local Settings\Application Data\WhiteSmoke_New_V.13 (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon  Anderson\Local Settings\Application Data\WhiteSmoke_New_V.13\Logs (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13 (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.

Files Detected: 123
C:\Documents and Settings\Administrator\Application Data\SwvUpdater\Updater.exe (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit\CT3317127\WhiteSmoke_New_V.13AutoUpdateHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\dlLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\chlogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\ctbe.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\fflogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\ielogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\statisticsStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\checktbexist[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\WhiteSmoke_New_V.13[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\whitesmoke_new_v.13[2].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\WhiteSmoke_New_V_13_wpf[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\Launcher[1].exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R6N771J4\Setup[1].exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZQQBBUH0\statisticsstub[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\WhiteSmoke_New_V.13ToolbarHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403242.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403243.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403280.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403281.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403284.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403285.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403286.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403287.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403288.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403289.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403290.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403291.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403292.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403298.exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403300.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1878\A0403294.exe (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404418.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404419.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404456.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404457.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404460.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404461.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404462.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404463.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404464.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404465.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404466.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404467.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404468.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404474.exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404476.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1879\A0404470.exe (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406596.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406597.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406634.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406635.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406638.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406639.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406640.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406641.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406642.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406643.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406644.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406645.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406648.exe (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406652.exe (PUP.Optional.Amonetize.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406654.exe (PUP.Optional.iBryte) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1880\A0406646.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Temp\New Folder\msoe2007keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
G:\WD SmartWare.swstor\DELLINOFFICE\Volume.563950ec.86cc.11d9.82b6.806d6172696f\I386\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SwvUpdater\Updater.xml (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SwvUpdater\status.cfg (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AmiUpdXp.job (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Local Settings\Temp\fvJcrgR.exe (Exploit.Drop.GS) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Favorites\Qword Search Engine.url (Adware.QWO) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Application Data\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Local Settings\Application Data\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\ewebstorewrapper.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\BrowserSafeguard.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\install.log (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\makecert.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\TrustedRoot.cer (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\uninstall.browsersafeguard.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\certutil.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\libnspr4.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\libplc4.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\libplds4.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\nss3.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\smime3.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\softokn3.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\BrowserSafeguard Update Task.job (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BrowserSafeguard\BrowserSafeguard.lnk (PUP.Optional.BrowserSafeGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\conduit.xml (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\CT3317127.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\CT3317127.xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\initdata.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\manifest.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\version.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\plugins\TBVerifier.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\xpi\install.rdf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ct3317127\xpi\defaults\preferences\defaults.js (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Conduit\IE\CT3317127\configutaion.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Conduit\IE\CT3317127\SetupIcon.ico (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Conduit\IE\CT3317127\UninstallerUI.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_New_V.13\hk64tbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_New_V.13\hktbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_New_V.13\ldrtbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_New_V.13\tbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_New_V.13\toolbar.cfg (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Local Settings\Application Data\WhiteSmoke_New_V.13\hktbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Local Settings\Application Data\WhiteSmoke_New_V.13\ldrtbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Local Settings\Application Data\WhiteSmoke_New_V.13\tbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx  xxxxxxxx\Local Settings\Application Data\WhiteSmoke_New_V.13\toolbar.cfg (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\GottenAppsContextMenu.xml (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\hk64tbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\hktbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\ldrtbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\OtherAppsContextMenu.xml (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\prxtbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\SharedAppsContextMenu.xml (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\tbWhit.dll (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\toolbar.cfg (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.
C:\Program Files\WhiteSmoke_New_V.13\ToolbarContextMenu.xml (PUP.Optional.WhiteSmoke.A) -> Quarantined and deleted successfully.

(end)
 


Edited by Jona123, 31 October 2013 - 10:09 PM.


#14 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 01 November 2013 - 09:49 AM

ESET still running at 11:30:00 so far and 45%complete



#15 Jona123

Jona123
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:03 AM

Posted 01 November 2013 - 12:54 PM

ESET log

C:\Documents and Settings\xxx xxxxxxxx\Application Data\Sun\Java\Deployment\cache\6.0\13\64821d0d-5c5a1b27    probably a variant of Java/Exploit.CVE-2012-1723.EB trojan    cleaned by deleting - quarantined
C:\Documents and Settings\xxx xxxxxxxx\Application Data\Sun\Java\Deployment\cache\6.0\22\44c20996-55601987    Java/Exploit.CVE-2012-1723.IK trojan    cleaned by deleting - quarantined
C:\Documents and Settings\xxx xxxxxxxx\Application Data\Sun\Java\Deployment\cache\6.0\52\6c83b234-61f84423    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\xxx xxxxxxxx\Local Settings\Temp\jar_cache7778983984459183857.tmp    a variant of Java/Obfus.I trojan    cleaned by deleting - quarantined
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users