Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PUP.Bitminer kwrd.dll infection [Solved]


  • This topic is locked This topic is locked

#31
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I downloaded the Avast! virus definitions and ran the aswMBR scan again.

Here is the log:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-07 11:28:53
-----------------------------
11:28:53.195 OS Version: Windows x64 6.1.7601 Service Pack 1
11:28:53.195 Number of processors: 4 586 0x502
11:28:53.195 ComputerName: DESKTOP UserName: Mike
11:28:55.410 Initialize success
11:30:51.217 AVAST engine defs: 12010700
11:31:17.862 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
11:31:17.862 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
11:31:17.893 Disk 0 MBR read successfully
11:31:17.893 Disk 0 MBR scan
11:31:17.909 Disk 0 unknown MBR code
11:31:17.909 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
11:31:17.924 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 598085 MB offset 206848
11:31:17.971 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12293 MB offset 1225084928
11:31:17.971 Service scanning
11:31:19.796 Service TmFilter C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys **LOCKED** 32
11:31:19.796 Service TmPreFilter C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys **LOCKED** 32
11:31:20.015 Service VSApiNt C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys **LOCKED** 32
11:31:20.639 Modules scanning
11:31:20.639 Disk 0 trace - called modules:
11:31:20.654 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
11:31:20.670 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005b6b060]
11:31:20.686 3 CLASSPNP.SYS[fffff8800196e43f] -> nt!IofCallDriver -> [0xfffffa8004ea4e40]
11:31:20.686 5 ACPI.sys[fffff88000fa07a1] -> nt!IofCallDriver -> \Device\0000005a[0xfffffa80058c53e0]
11:31:22.246 AVAST engine scan C:\Windows
11:31:30.014 AVAST engine scan C:\Windows\system32
11:34:39.726 AVAST engine scan C:\Windows\system32\drivers
11:34:59.944 AVAST engine scan C:\Users\Mike
11:38:43.554 AVAST engine scan C:\ProgramData
11:39:51.991 Scan finished successfully
11:40:11.881 Disk 0 MBR has been saved successfully to "C:\Users\Mike\Desktop\MBR.dat"
11:40:11.881 The log file has been saved successfully to "C:\Users\Mike\Desktop\aswMBR2.txt"
  • 0

Advertisements


#32
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Step 1.

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.


Step 2.

Download AVPTool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image


Step 3.

Please post:

MbrCheck log
AVZ log


Please attach:

avptool_sysinfo.zip


What issues do you still have with your computer?

  • 0

#33
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
MBRcheck log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: HP-Pavilion
System Product Name: NY545AA-ABA p6210y
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 190):
0x02E63000 \SystemRoot\system32\ntoskrnl.exe
0x02E1A000 \SystemRoot\system32\hal.dll
0x00BB8000 \SystemRoot\system32\kdcom.dll
0x00C9B000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00CA8000 \SystemRoot\system32\PSHED.dll
0x00CBC000 \SystemRoot\system32\CLFS.SYS
0x00D1A000 \SystemRoot\system32\CI.dll
0x00EE2000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F86000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F95000 \SystemRoot\system32\drivers\ACPI.sys
0x00FEC000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00FF5000 \SystemRoot\system32\drivers\msisadrv.sys
0x00E00000 \SystemRoot\system32\drivers\pci.sys
0x00E33000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00E40000 \SystemRoot\System32\drivers\partmgr.sys
0x00E55000 \SystemRoot\system32\drivers\volmgr.sys
0x00E6A000 \SystemRoot\System32\drivers\volmgrx.sys
0x00EC6000 \SystemRoot\System32\drivers\mountmgr.sys
0x00C00000 \SystemRoot\system32\DRIVERS\nvstor64.sys
0x010AA000 \SystemRoot\system32\DRIVERS\storport.sys
0x0110D000 \SystemRoot\system32\drivers\amdxata.sys
0x01118000 \SystemRoot\system32\drivers\fltmgr.sys
0x01164000 \SystemRoot\system32\drivers\fileinfo.sys
0x0125A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01178000 \SystemRoot\System32\Drivers\msrpc.sys
0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01000000 \SystemRoot\System32\Drivers\cng.sys
0x0121B000 \SystemRoot\System32\drivers\pcw.sys
0x0122C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0141D000 \SystemRoot\system32\drivers\ndis.sys
0x01510000 \SystemRoot\system32\drivers\NETIO.SYS
0x01570000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01626000 \SystemRoot\System32\drivers\tcpip.sys
0x0182A000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01874000 \SystemRoot\system32\drivers\volsnap.sys
0x018C0000 \SystemRoot\System32\Drivers\spldr.sys
0x018C8000 \SystemRoot\System32\drivers\rdyboost.sys
0x01902000 \SystemRoot\System32\Drivers\mup.sys
0x01914000 \SystemRoot\System32\drivers\hwpolicy.sys
0x0191D000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01957000 \SystemRoot\system32\DRIVERS\disk.sys
0x0196D000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x0159B000 \SystemRoot\system32\drivers\cdrom.sys
0x01613000 \SystemRoot\System32\Drivers\Null.SYS
0x0161C000 \SystemRoot\System32\Drivers\Beep.SYS
0x015C5000 \SystemRoot\System32\drivers\vga.sys
0x015D3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01400000 \SystemRoot\System32\drivers\watchdog.sys
0x019F3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x01410000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01236000 \SystemRoot\system32\drivers\rdprefmp.sys
0x0123F000 \SystemRoot\System32\Drivers\Msfs.SYS
0x01072000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01083000 \SystemRoot\system32\DRIVERS\tdx.sys
0x0124A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x03EC2000 \SystemRoot\system32\drivers\afd.sys
0x03F4B000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03F90000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x03F9B000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03FA4000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03FCA000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03FD9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03E00000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0x03E1D000 \SystemRoot\system32\drivers\termdd.sys
0x03E31000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03E82000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03E8E000 \SystemRoot\system32\drivers\mssmbios.sys
0x03E99000 \SystemRoot\System32\drivers\discache.sys
0x011D6000 \SystemRoot\System32\Drivers\dfsc.sys
0x03EA8000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x00C3E000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x00C64000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x03FF4000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x011F4000 \SystemRoot\system32\drivers\usbohci.sys
0x02CE4000 \SystemRoot\system32\drivers\USBPORT.SYS
0x02D3A000 \SystemRoot\system32\drivers\usbehci.sys
0x02D4B000 \SystemRoot\system32\drivers\HDAudBus.sys
0x02D6F000 \SystemRoot\system32\drivers\1394ohci.sys
0x02DAD000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x02C00000 \SystemRoot\system32\DRIVERS\nvmf6264.sys
0x048A1000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0539F000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x04444000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04538000 \SystemRoot\System32\drivers\dxgmms1.sys
0x056B1000 \SystemRoot\system32\DRIVERS\agrsm64.sys
0x057E2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x057E4000 \SystemRoot\system32\drivers\modem.sys
0x057F3000 \SystemRoot\system32\drivers\wmiacpi.sys
0x05600000 \SystemRoot\system32\drivers\CompositeBus.sys
0x05610000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x05626000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x0564A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x05656000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x05685000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0457E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0459F000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x056A0000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x045B9000 \SystemRoot\system32\drivers\kbdclass.sys
0x045C8000 \SystemRoot\system32\drivers\mouclass.sys
0x056AB000 \SystemRoot\system32\drivers\swenum.sys
0x04400000 \SystemRoot\system32\drivers\ks.sys
0x045D7000 \SystemRoot\system32\drivers\umbus.sys
0x053A1000 \SystemRoot\system32\drivers\usbhub.sys
0x045E9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05E0E000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x05FC2000 \SystemRoot\system32\drivers\portcls.sys
0x04800000 \SystemRoot\system32\drivers\drmk.sys
0x05E00000 \SystemRoot\system32\drivers\ksthunk.sys
0x04822000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04830000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x0483A000 \SystemRoot\System32\Drivers\dump_nvstor64.sys
0x04878000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x02C52000 \SystemRoot\system32\drivers\usbccgp.sys
0x0488B000 \SystemRoot\system32\drivers\hidusb.sys
0x02C6F000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x02C88000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x02C91000 \SystemRoot\system32\drivers\kbdhid.sys
0x02C9F000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x02CBA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x00090000 \SystemRoot\System32\win32k.sys
0x02DBA000 \SystemRoot\System32\drivers\Dxapi.sys
0x02DC6000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00550000 \SystemRoot\System32\TSDDD.dll
0x006B0000 \SystemRoot\System32\cdd.dll
0x00850000 \SystemRoot\System32\ATMFD.DLL
0x02DD4000 \SystemRoot\system32\drivers\luafv.sys
0x01600000 \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys
0x03A02000 \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys
0x05A0B000 \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys
0x05A71000 \SystemRoot\system32\drivers\WudfPf.sys
0x05A92000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x05AA7000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x05ABF000 \SystemRoot\system32\drivers\HTTP.sys
0x05B88000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x05BB9000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0199D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x068D5000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x06923000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x06947000 \SystemRoot\System32\DRIVERS\srv2.sys
0x06800000 \SystemRoot\System32\DRIVERS\srv.sys
0x06EFF000 \SystemRoot\system32\drivers\peauth.sys
0x06FA5000 \SystemRoot\System32\Drivers\secdrv.SYS
0x06FB0000 \SystemRoot\System32\drivers\tcpipreg.sys
0x06FC2000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x06E71000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x06E3A000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x06E7C000 \SystemRoot\system32\DRIVERS\udfs.sys
0x06ED1000 \??\C:\Users\Mike\AppData\Local\Temp\aswMBR.sys
0x06E00000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x06E11000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x76D60000 \Windows\System32\ntdll.dll
0x48290000 \Windows\System32\smss.exe
0xFF080000 \Windows\System32\apisetschema.dll
0xFF5F0000 \Windows\System32\autochk.exe
0x76C60000 \Windows\System32\user32.dll
0xFEFD0000 \Windows\System32\msvcrt.dll
0xFEF50000 \Windows\System32\difxapi.dll
0xFEE40000 \Windows\System32\msctf.dll
0xFEE30000 \Windows\System32\nsi.dll
0xFEE00000 \Windows\System32\imm32.dll
0x76F30000 \Windows\System32\psapi.dll
0xFEDF0000 \Windows\System32\lpk.dll
0xFECC0000 \Windows\System32\rpcrt4.dll
0xFEC50000 \Windows\System32\gdi32.dll
0xFEBB0000 \Windows\System32\comdlg32.dll
0xFEB60000 \Windows\System32\ws2_32.dll
0xFE950000 \Windows\System32\ole32.dll
0xFDBC0000 \Windows\System32\shell32.dll
0xFDBA0000 \Windows\System32\sechost.dll
0xFDAD0000 \Windows\System32\usp10.dll
0xFD950000 \Windows\System32\urlmon.dll
0xFD930000 \Windows\System32\imagehlp.dll
0xFD850000 \Windows\System32\oleaut32.dll
0xFD770000 \Windows\System32\advapi32.dll
0x76B40000 \Windows\System32\kernel32.dll
0x76F20000 \Windows\System32\normaliz.dll
0xFD6F0000 \Windows\System32\shlwapi.dll
0xFD5C0000 \Windows\System32\wininet.dll
0xFD3E0000 \Windows\System32\setupapi.dll
0xFD380000 \Windows\System32\Wldap32.dll
0xFD120000 \Windows\System32\iertutil.dll
0xFD080000 \Windows\System32\clbcatq.dll
0xFD010000 \Windows\System32\KernelBase.dll
0xFCF70000 \Windows\System32\comctl32.dll
0xFCE00000 \Windows\System32\crypt32.dll
0xFCDE0000 \Windows\System32\devobj.dll
0xFCDA0000 \Windows\System32\cfgmgr32.dll
0xFCD60000 \Windows\System32\wintrust.dll
0xFCD50000 \Windows\System32\msasn1.dll
0x76F10000 \Windows\SysWOW64\normaliz.dll

Processes (total 72):
0 System Idle Process
4 System
284 C:\Windows\System32\smss.exe
432 csrss.exe
492 C:\Windows\System32\wininit.exe
528 csrss.exe
552 C:\Windows\System32\services.exe
568 C:\Windows\System32\lsass.exe
576 C:\Windows\System32\lsm.exe
688 C:\Windows\System32\svchost.exe
776 C:\Windows\System32\winlogon.exe
832 C:\Windows\System32\nvvsvc.exe
872 C:\Windows\System32\svchost.exe
944 C:\Windows\System32\svchost.exe
976 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
440 C:\Windows\System32\svchost.exe
1108 C:\Windows\System32\svchost.exe
1228 C:\Windows\System32\spoolsv.exe
1476 C:\Program Files\LSI SoftModem\agr64svc.exe
1496 C:\Windows\SysWOW64\svchost.exe
1556 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1580 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1612 C:\Windows\System32\svchost.exe
1652 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1700 C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
1776 C:\Program Files (x86)\Trend Micro\OfficeScan Client\NTRTScan.exe
1812 C:\Windows\System32\svchost.exe
1904 C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
1728 WUDFHost.exe
2428 C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
2436 C:\Windows\System32\conhost.exe
2560 C:\Windows\System32\nvvsvc.exe
2948 C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe
2792 C:\Windows\System32\svchost.exe
672 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
2864 C:\Program Files\Windows Media Player\wmpnetwk.exe
2244 C:\Windows\System32\SearchIndexer.exe
3232 C:\Windows\System32\taskhost.exe
3668 C:\Windows\System32\dwm.exe
436 C:\Windows\explorer.exe
3328 C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
4052 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
3852 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
3840 C:\Program Files\ZuneLauncher.exe
3228 C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
3540 C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
3304 C:\Users\Mike\AppData\Local\Akamai\netsession_win.exe
4032 C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
2476 C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
3136 C:\Program Files (x86)\Internet Explorer\iexplore.exe
1276 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
2208 C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
1668 C:\Users\Mike\AppData\Local\Akamai\netsession_win.exe
2740 C:\Program Files (x86)\iTunes\iTunesHelper.exe
3628 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
3532 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2500 C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
3752 C:\Program Files (x86)\Internet Explorer\iexplore.exe
2772 C:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msntask.exe
2544 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
4128 C:\Program Files\iPod\bin\iPodService.exe
4232 C:\Windows\System32\svchost.exe
4440 C:\Windows\System32\wuauclt.exe
788 C:\Windows\System32\svchost.exe
4712 C:\Windows\System32\audiodg.exe
1980 C:\Program Files (x86)\Internet Explorer\iexplore.exe
696 C:\Windows\System32\SearchProtocolHost.exe
3460 C:\Windows\System32\SearchFilterHost.exe
4040 C:\Users\Mike\Desktop\MBRCheck.exe
4124 C:\Windows\System32\conhost.exe
4376 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000092`0aa00000 (NTFS)

PhysicalDrive0 Model Number: WDC WD6400AAKS-65A7B, Rev: 01.0

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 RE: Unknown MBR code
SHA1: EA86DEA936A7937E6201DADF57DB786F2049D1CB


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
  • 0

#34
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
The Kaspersky scan has been going for 16 hours and is only 50% done. Does it usually take this long?
  • 0

#35
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Depending on the machine, the number of files, and the infections it can take several hours and 16 plus is not unusual.
  • 0

#36
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
It seems to have been stauck at 49% for the last 3 hours.

Stuck on:
C:\_OTL\MovedFiles\01032012_235109\C_Windows\Downloaded Program Files\amicasjreinstaller_1_5_0_silent.inf

It has located a virus:
HEUR:Backdoor.Win64.Generic

in C:\Windows\assembly\GAC_64\Desktop.ini

I need to go do something for a couple hours. If I come back and the removal tool is still at 49% on teh same file, should I deleted the virus it found and try starting the scan again?
  • 0

#37
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Yes delete the virus and delete the file:

C:\_OTL\MovedFiles\01032012_235109\C_Windows\Downloaded Program Files\amicasjreinstaller_1_5_0_silent.inf


  • 0

#38
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Then please restart the scan.
  • 0

#39
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
The scan has forzen again. THis time at 48%

C:\_OTL\MovedFiles\01032012_235109\C_Users\Mike\AppData\Local\bfw826jj2ggq08uq3m012q5njwytp0gv6goyc

It however did once again detect the same virus in teh same location:
C:\Windows\assembly\GAC_64\Desktop.ini
HEUR:Backdoor.Win64.Generic


I will clear the virus. Should I also delete the file that caused the detection software to hang up?
  • 0

#40
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

Should I also delete the file that caused the detection software to hang up?


Yes please delete it as well.

CompCav
  • 0

Advertisements


#41
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
The scan has forzen again. This time at 48%

C:\_OTL\MovedFiles\01032012_235109\C_Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

It however did once again detect the same virus in the same location:
C:\Windows\assembly\GAC_64\Desktop.ini
HEUR:Backdoor.Win64.Generic


I will clear the virus. Can we maybe only scan the c:\_OTL folder since the scanning software keeps hanging up there? Then we can identify the files and remove them without having to wait several hours for the scan? Then, once we can get through the c:\_OTL without issue, then repeat the entire scan?
  • 0

#42
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Just skip the full scan. We can get at this a different way.

But let's do the Analysis scan and post it.

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image




Please attach:

avptool_sysinfo.zip

Edited by CompCav, 11 January 2012 - 06:30 AM.

  • 0

#43
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
avptool

Attached Files


  • 0

#44
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Warning!!
You have an information stealing trojan installed on your computer.
Backdoor Trojans, IRCBots, keyloggers and Infostealers are very dangerous because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following.

  • All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.
  • Banking and credit card institutions should be notified of the possible security breach.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue cleaning please follow the next steps:



Step 1.

We need to run an OTL Fix

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    
    
    
    :files
    ipconfig /flushdns /c
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\temp\U
    C:\Users\Mike\AppData\Local\Temp\_uninst_15059840.bat
    C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_15059840.lnk
    C:\Program Files\Java\jre6\bin\npjpi160_22.dll
    
    
    :reg
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [createrestorepoint]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.


Step 2.

Delete your current copy of ComboFix and download a fresh copy.

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

Posted Image

Posted Image

When finished, it produces a log for you.
Please include the C:\ComboFix.txt in your next reply.



Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now



Step 3.

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ipsec /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd /s
    C:\Windows\assembly\tmp\U\*.* /s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window. OTL.Txt.
  • Post both logs


Step 4.

Please Post:

OTL fix log
Combofix log
OTL.txt



How is your computer doing?
  • 0

#45
integrinB4

integrinB4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I will preform the scans listed above. However, I am considering reformatting after that.

My questions regarding reformatting:

1) As soon as I noticed the infection that I started this thread about, I disconnected an external hard drive from the machine. Is there a way to determine if the infection is also on that external hard drive? It has not been connected to the machine while we have done these scans.

2) I ask about the external hard drive because if I reformat, I will need to move some files off the machine. These files include music (.wav and .mp3), photos (.tif and .jpg), .pdf, and .docx and .xls files. I would like to move the relevant files to the external hard drive then move them back once the machine is reformatted. However, I will not do this if we can determine the external hard drive was also infected.

3) The other option is to acquire a new, clean external hard drive. If I connect it to the infected computer, will the trojan get transferred upon connection or upon transferring of any of the aforementioned files?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP