Avast WEBforum
Other => Viruses and worms => Topic started by: Blackpig on May 05, 2011, 07:07:56 PM
-
I've done the first step by MBAM, and here is the log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6514
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/5/2011 9:55:39 AM
mbam-log-2011-05-05 (09-55-39).txt
Scan type: Quick scan
Objects scanned: 186358
Time elapsed: 4 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Value: idln2 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Value: bk -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegistryMonitor1 (Trojan.Agent) -> Value: RegistryMonitor1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\RegistryMonitor2 (Malware.Trace) -> Value: RegistryMonitor2 -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\Admin\application data\shoppingreport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\db (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\dwld (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\report (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\res1 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\program files\resultbar (Adware.ResultBar) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\mom and auntie yao\local settings\temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\searchguardplus.exe (PUP.Fbsearch) -> Quarantined and deleted successfully.
c:\documents and settings\mom and auntie yao\local settings\temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\update.exe (PUP.Fbsearch) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\RMDZ36RR\TFC[1].exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\userinitxx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\resultbar\resultbar(2).exe (Adware.ResultBar) -> Quarantined and deleted successfully.
What should I do next?
-
Actually, it win 32 dropper-gen not malware-gen. sorry for that.
-
Hi. Let's see if there are any remains...
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds.scr to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Attach DDS.txt back to topic.
-
Thank you a lot! Here they are!
-
Ok. Except a couple of adware you have not active malware on your system.
--> The first thing you need to do is to install the latest version of avast antivirus.
The current version that you may download for free is avast 6.0.1091.
--> Next ...
Start >> Control Panel >> Add or Remove Programs
Uninstall:
Fast Browser Search Toolbar
Productivity 2.2 Toolbar:
Conduit Engine:
&Windows Live Toolbar:
--> Next...
Download CCleaner from here:
http://www.piriform.com/ccleaner
Run Registry & Cleaner tool. Also disable your unnecessary startup.
Tools >> Sturtup >> select unnecessery program >> disable
Do not disable these entries:
avast
ctfmon.exe
Disable all but left these if you have the habit to use them all.
MsnMsgr
MSMSGS
uTorrent
skype
USB Antivirus
log me in
FixCamera
Download & Run/use Wise Registry Cleaner & Puran Disc Defragmenter
http://www.wisecleaner.com/wiseregistrycleanerfree.html
http://www.puransoftware.com/Puran-Defrag-Download.html
abaut USB Antivirus.
I recommendet to you to uninstall this softwere and use MCShield for prevent infections via USB-s.
http://amf.mycity.rs/programs/mc/mcshield/index.html
-
I can't access add & remove program, though other items in control panel is still OK. Moreover, avast shows that it keep blocking redirect to two malicious sites. Plus, I can't use google chrome. Is my problem really solved?
-
Download aswMBR from here: Click! (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR on the desktop to run it
Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
-
Thank you very much. Below is the log
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-05 14:35:14
-----------------------------
14:35:14.843 OS Version: Windows 5.1.2600 Service Pack 3
14:35:14.843 Number of processors: 2 586 0x170A
14:35:14.843 ComputerName: DG83K22S UserName: Admin
14:35:15.562 Initialize success
14:35:17.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:35:17.500 Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
14:35:17.515 Disk 0 MBR read successfully
14:35:17.515 Disk 0 MBR scan
14:35:17.531 Disk 0 TDL4@MBR code has been found
14:35:17.531 Disk 0 MBR hidden
14:35:17.531 Disk 0 MBR [TDL4] **ROOTKIT**
14:35:17.546 Disk 0 trace - called modules:
14:35:17.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89920730]<<
14:35:17.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a29c868]
14:35:17.578 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a2e9650]
14:35:17.578 \Driver\iaStor[0x8a356298] -> IRP_MJ_CREATE -> 0x89920730
14:35:17.593 Scan finished successfully
14:35:38.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
14:35:38.890 The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR.txt"
-
I've pushed the button "FixMBR" and the below is the new log. Have the problem been solved?
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-05 14:42:06
-----------------------------
14:42:06.140 OS Version: Windows 5.1.2600 Service Pack 3
14:42:06.140 Number of processors: 2 586 0x170A
14:42:06.156 ComputerName: DG83K22S UserName: Admin
14:42:06.875 Initialize success
14:42:08.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:42:08.343 Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
14:42:08.375 Disk 0 MBR read successfully
14:42:08.375 Disk 0 MBR scan
14:42:08.390 Disk 0 unknown MBR code
14:42:08.390 Disk 0 scanning sectors +312576705
14:42:08.437 Disk 0 scanning C:\WINDOWS\system32\drivers
14:42:13.328 Service scanning
14:42:16.046 Disk 0 trace - called modules:
14:42:16.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
14:42:16.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5aeab8]
14:42:16.109 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a5af028]
14:42:16.109 Scan finished successfully
14:42:31.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
14:42:31.796 The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR1.txt"
-
It "seems" like my comp run normally again. A big hand to both magna 68 and Zyndstoff (aka Steven Gail). Please let me know if I have additional step to finish.
-
Well, as a matter of fact, "FixMBR" was the wrong button...
If this solved problem you're lucky. If the problem comes back, please come back here again.
It's always a good idea to wait for instructions when you are using an unknown tool... ;D
Please rerun MBAM (update it via GUI update tab) and have it remove everything it finds.
Cheers
Zyndstoff
-
Hmm, strange that DDS did not show rootkit
-
Hmm, strange that DDS did not show rootkit
TDL4 is rather tricky... (http://www.winboard.org/forum/images/smilies/smiley-301.gif)
-
Yes, but the DDS would have to recognize it
Moreover, avast shows that it keep blocking redirect to two malicious sites. Plus, I can't use google chrome. Is my problem really solved?
@Zyndstoff (aka Steven Gail)
You knew about this or... 'by heart ;D
-
Yes, but the DDS would have to recognize it
Obviously, it didn't...
You knew about this or... 'by heart ;D
Nope, but there have been more cases in the last days where some tools did not find anything, the symptoms were blocked URLs even without any browser running...
Besides that, I'm a wizard. ;D
-
I believe it is new variant of TDLs rootkits... :)
and it is therefore difficult to our diagnostic tools to identify presence of rootkit.
but again I am surprised that the mbr.exe in DDS did not listed info about TDL and it is in aswMBR. :(