Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack Log- Fake Visa Verification Site [CLOSED]


  • This topic is locked This topic is locked

#121
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

I'm working on it.


Ok :)
  • 0

Advertisements


#122
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
The full system scan for Dr CureIT is taking awhile. Nothing was idenitified during the express scan. Below is the mbr results.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950e4c1 size 0x1e4 !
copy of MBR has been found in sector 62 !
  • 0

#123
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

The full system scan for Dr CureIT is taking awhile. Nothing was idenitified during the express scan. Below is the mbr results.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950e4c1 size 0x1e4 !
copy of MBR has been found in sector 62 !



Erm.. ok.. waiting for Dr Web...
  • 0

#124
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Yeah..... it's still running. The product I'm running is Dr.Web CureIt.

I has idenitified 27 items so far. I think it will be done in the next hour.
  • 0

#125
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
The scan finally finished. I believe the cure/move fill finished, but I'm not 100% certain. Anyway here is the new csv file. Did it work?

RegUBP2b-Michael.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Michael\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Michael\Desktop;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\404Fix.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\GenericRenosFix.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.C.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Documents and Settings\Michael\Desktop;Archive contains infected objects;Moved.;
404Fix.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
GenericRenosFix.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.C.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
Process.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Michael\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0191685.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947;Trojan.StartPage.1505;Deleted.;
A0191686.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947\A0191686.exe;Tool.Prockill;;
A0191686.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947;Archive contains infected objects;Moved.;
A0191687.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947\A0191687.exe;BackDoor.IRC.Chazz.38;;
A0191687.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947\A0191687.exe;BackDoor.IRC.Chazz.38;;
A0191687.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947\A0191687.exe;BackDoor.IRC.Chazz.38;;
A0191687.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947\A0191687.exe;BackDoor.IRC.Chazz.38;;
A0191687.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947\A0191687.exe;Tool.Prockill;;
A0191687.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947\A0191687.exe;Tool.ShutDown.11;;
A0191687.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947;Archive contains infected objects;Moved.;
A0191688.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947;BackDoor.IRC.Chazz.38;Deleted.;
A0191689.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947;BackDoor.IRC.Chazz.38;Deleted.;
A0191690.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947;BackDoor.IRC.Chazz.38;Deleted.;
A0191691.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP947;BackDoor.IRC.Chazz.38;Deleted.;
404Fix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.C.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
  • 0

#126
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Below is the updated mbrtxt file. It looks like the problem is still there.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950e4c1 size 0x1e4 !
copy of MBR has been found in sector 62 !
  • 0

#127
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Lets do this again...


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



Regards
fenzodahl512
  • 0

#128
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I'm working on it.
  • 0

#129
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
SDFix: Version 1.202
Run by Administrator on Sun 07/06/2008 at 05:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 17:29:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 22 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sun 13 Apr 2008 0 A..H. --- "C:\WINDOWS\system32\BIT748.tmp"
Mon 12 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 23 Jun 2008 37,888 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL0005.tmp"
Fri 20 Jun 2008 32,768 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL0471.tmp"
Mon 23 Jun 2008 36,352 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL0978.tmp"
Wed 25 Jun 2008 33,792 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL2477.tmp"
Fri 20 Jun 2008 35,328 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL2765.tmp"
Fri 20 Jun 2008 34,304 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL2787.tmp"
Mon 23 Jun 2008 36,352 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL3597.tmp"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Tue 24 Apr 2007 229,888 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 24 Apr 2007 239,104 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0219.tmp"
Tue 24 Apr 2007 234,496 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0220.tmp"
Tue 24 Apr 2007 237,568 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0334.tmp"
Tue 24 Apr 2007 235,008 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0359.tmp"
Tue 24 Apr 2007 237,568 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0708.tmp"
Tue 24 Apr 2007 231,424 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL1021.tmp"
Tue 24 Apr 2007 239,104 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL1562.tmp"
Tue 24 Apr 2007 234,496 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL1935.tmp"
Tue 24 Apr 2007 235,008 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL2116.tmp"
Tue 24 Apr 2007 231,424 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL2518.tmp"
Tue 24 Apr 2007 235,008 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL3246.tmp"
Tue 24 Apr 2007 233,472 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL3358.tmp"
Tue 24 Apr 2007 237,056 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL3501.tmp"
Wed 2 Feb 2005 30,720 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0003.tmp"
Fri 11 Mar 2005 179,200 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0004.tmp"
Mon 25 Jun 2007 245,760 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0005.tmp"
Fri 20 Jun 2008 36,352 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0006.tmp"
Sun 13 Mar 2005 22,016 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0022.tmp"
Mon 9 Jul 2007 269,312 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0037.tmp"
Sun 13 Mar 2005 40,448 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0094.tmp"
Mon 9 Jul 2007 264,704 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0179.tmp"
Thu 28 Jun 2007 263,680 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0210.tmp"
Sun 15 Jul 2007 275,456 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0259.tmp"
Fri 11 Mar 2005 179,712 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0353.tmp"
Mon 25 Jun 2007 245,760 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0383.tmp"
Tue 26 Jun 2007 256,000 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0384.tmp"
Wed 27 Jun 2007 260,096 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0414.tmp"
Mon 25 Jun 2007 246,272 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0417.tmp"
Mon 9 Jul 2007 278,016 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0515.tmp"
Mon 9 Jul 2007 266,752 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0532.tmp"
Fri 20 Jun 2008 35,328 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0549.tmp"
Mon 9 Jul 2007 265,728 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0619.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0630.tmp"
Sat 12 Mar 2005 178,688 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0682.tmp"
Tue 26 Jun 2007 256,000 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0772.tmp"
Mon 9 Jul 2007 268,800 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1010.tmp"
Sat 8 Sep 2007 32,768 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1030.tmp"
Mon 9 Jul 2007 272,896 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1055.tmp"
Mon 9 Jul 2007 275,968 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1064.tmp"
Tue 26 Jun 2007 253,952 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1078.tmp"
Sun 15 Jul 2007 279,552 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1161.tmp"
Mon 9 Jul 2007 274,432 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1182.tmp"
Fri 20 Jun 2008 34,816 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1200.tmp"
Sun 15 Jul 2007 278,528 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1343.tmp"
Sat 8 Sep 2007 34,304 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1450.tmp"
Sun 13 Mar 2005 43,008 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1472.tmp"
Sun 15 Jul 2007 280,576 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1482.tmp"
Fri 11 Mar 2005 179,712 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1675.tmp"
Mon 9 Jul 2007 265,728 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1866.tmp"
Tue 26 Jun 2007 255,488 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1889.tmp"
Mon 9 Jul 2007 271,872 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1907.tmp"
Sun 13 Mar 2005 46,592 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1910.tmp"
Sun 15 Jul 2007 276,480 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1977.tmp"
Tue 26 Jun 2007 253,440 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2005.tmp"
Fri 29 Jun 2007 267,264 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2230.tmp"
Thu 28 Jun 2007 264,704 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2327.tmp"
Mon 9 Jul 2007 271,872 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2381.tmp"
Sat 12 Mar 2005 182,272 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2416.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2562.tmp"
Mon 9 Jul 2007 271,360 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2593.tmp"
Tue 26 Jun 2007 257,536 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2640.tmp"
Sun 13 Mar 2005 19,968 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2686.tmp"
Sun 13 Mar 2005 45,056 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2900.tmp"
Thu 28 Jun 2007 266,240 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2915.tmp"
Mon 9 Jul 2007 276,992 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2940.tmp"
Sun 9 Sep 2007 45,568 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3063.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3077.tmp"
Sun 13 Mar 2005 35,328 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3081.tmp"
Sun 13 Mar 2005 22,528 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3171.tmp"
Sun 15 Jul 2007 274,432 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3185.tmp"
Fri 11 Mar 2005 178,688 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3206.tmp"
Mon 9 Jul 2007 265,728 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3227.tmp"
Mon 9 Jul 2007 267,264 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3248.tmp"
Thu 28 Jun 2007 264,704 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3270.tmp"
Tue 26 Jun 2007 254,464 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3273.tmp"
Mon 9 Jul 2007 274,944 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3280.tmp"
Sun 15 Jul 2007 276,480 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3376.tmp"
Fri 11 Mar 2005 180,224 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3390.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3446.tmp"
Sun 15 Jul 2007 283,648 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3501.tmp"
Fri 29 Jun 2007 266,752 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3547.tmp"
Fri 20 Jun 2008 35,840 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3570.tmp"
Sun 13 Mar 2005 39,424 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3630.tmp"
Sun 15 Jul 2007 275,968 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3674.tmp"
Thu 28 Jun 2007 263,680 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3750.tmp"
Sat 12 Mar 2005 179,200 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3808.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3818.tmp"
Tue 26 Jun 2007 257,536 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3959.tmp"
Sat 8 Sep 2007 34,304 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL4063.tmp"
Wed 2 Feb 2005 29,696 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL4065.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Michael\Application Data\U3\temp\Launchpad Removal.exe"
Mon 2 Jun 2008 11,638 A..H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Office\Shortcut Bar\Off622.tmp"

Finished!
  • 0

#130
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
That's good.. Now, lets check if the file still exist..


Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Double-click mbr.exe on your Desktop and post the mbr.txt textfile here..


Regards
fenzodahl512
  • 0

Advertisements


#131
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
File/Folder CODE not found.
Explorer killed successfully
< EmptyTemp >
File delete failed. C:\DOCUME~1\Michael\LOCALS~1\Temp\~DFDD58.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06198.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0619f.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07062008_224938

Files moved on Reboot...
C:\DOCUME~1\Michael\LOCALS~1\Temp\~DFDD58.tmp moved successfully.
C:\WINDOWS\temp\ZLT06198.TMP moved successfully.
C:\WINDOWS\temp\ZLT0619f.TMP moved successfully.
  • 0

#132
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Below is updated log. I received the same Gmer is incompatible message that I got a few days ago.


Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR
  • 0

#133
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Do you think I need to access the recovery console and enter fixmbr again?
  • 0

#134
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Do you think I need to access the recovery console and enter fixmbr again?



Yup.. lets do that.. And after that, run mbr.exe again and post the mbr.txt contents here.. You're are doing very fine :)


Regards
fenzodahl512
  • 0

#135
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Very busy today. Sorry that I took so long to respond. I had to use the CD to access the recovery console.

I entered fixmbr which allowed me to run mbr.exe. It looks like the malicious code is still there.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950e4c1 size 0x1e4 !
copy of MBR has been found in sector 62 !


Also in my C:Drive I noticed 2 files today that were never there before. I noticed them because I was running out of disk space and these files are large. Can I delete this files:
hiberfil.sys - 509mb
pagefil.sys - 768mb

These files are not in a subfolder, but are in the main C:drive.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP