Author Topic: MY FRIEND IS INFECTED !!! (Read 6416 times)

Hya · « **on:** September 01, 2009, 11:57:52 PM »

PLEASE SEE THIS ATTACHS !!!

my friend scan all system by avast! boot-scan ; also scan by MBAM. and the night scan by Panda Cloud Antivirus (

) but infected still !!!

Pondus · « **Reply #1 on:** September 02, 2009, 12:11:38 AM »

Post MBAM log here
Download an run HijackThis and post the log here http://filehippo.com/download_hijackthis/
Then someone who can red these logs will help you

Lisandro · « **Reply #2 on:** September 02, 2009, 12:39:31 AM »

I suggest (at least) the general cleaning procedure:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

John2009 · « **Reply #3 on:** September 02, 2009, 12:44:14 PM »

Braviax is a known trojan for fake AV's. Get rid of it.

Hya · « **Reply #4 on:** September 02, 2009, 08:48:35 PM »

HijackThis not working in this system!

read this log, please

YoKenny · « **Reply #5 on:** September 02, 2009, 09:01:51 PM »

I see you are still running WinXP SP2 and WinXP SP3 has been available for over a year so you should go to Tools then Windows Update in Internet Explorer and install all updates as it provides performance enhancements and several Critical updates.

Go to Control panel then Automatic updates then enable at least Notify me but do not download updates.

Download and installUser Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Install IE8 as it is faster and safer than IE6:
Stay Safer Online
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
Accelerators
http://www.microsoft.com/windows/internet-explorer/features/faster.aspx

Windows uses IE for everything so it should be updated and made safe.

Run Secunia Online Software Inspector to see what applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Get Malwarebytes Anti-Malware (MBAM) then update it then run a Quick scan and let it remove all it finds:
http://www.malwarebytes.org/mbam.php

Post its log here after it completes.

essexboy · « **Reply #6 on:** September 02, 2009, 09:06:07 PM »

If HJT is not working htere may be a deeper problem

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

THEN

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

DavidR · « **Reply #7 on:** September 02, 2009, 10:28:50 PM »

Hi essexboy,
is this new tool Win32kDiag.exe along the same lines as HJT but more powerful, the only reason I ask is I thought I would check it out but it failed to run.

Quote

Log file is located at: C:\Documents and Settings\UserName\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

XP Pro user with admin privileges.

essexboy · « **Reply #8 on:** September 02, 2009, 11:47:31 PM »

Hi David - no all this tool does is search for junctions that malware places on the system to stop any anti malware programmes running. If it shows nothing you are clean.

An example of an infected report

Quote

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 03:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 03:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Finished!

The bolded file is the one that is infected by the malware so that it runs every time you boot

Quote

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

And this is one of the junctions added with the bolded part showing what the mountpoint will run

It actually worked well on your system. The information then allows us to replace the bad file, remove the junctions and reset the permissions

Hope that makes sense

DavidR · « **Reply #9 on:** September 02, 2009, 11:51:53 PM »

Thanks for the update.

CharleyO · « **Reply #10 on:** September 03, 2009, 01:06:31 AM »

***

Just for kicks, I decided to run Win32kDiag.exe also.

Thankfully, nothing was found ... just as I would expect.

***

Hya · « **Reply #11 on:** September 04, 2009, 02:04:43 PM »

Log Created.

Hya · « **Reply #12 on:** September 04, 2009, 03:23:40 PM »

HijackThis is Fixed.

essexboy · « **Reply #13 on:** September 04, 2009, 07:32:21 PM »

Ok you do not have the bad one but you do have a trojan downloader

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt .

Hya · « **Reply #14 on:** September 05, 2009, 02:54:03 PM »

very thx
pondus;Tech;YoKenny;essexboy;

any type of malware, deleted.

Author Topic: MY FRIEND IS INFECTED !!! (Read 6416 times)

Hya

MY FRIEND IS INFECTED !!!

Pondus

Re: MY FRIEND IS INFECTED !!!

Lisandro

Re: MY FRIEND IS INFECTED !!!

John2009

Re: MY FRIEND IS INFECTED !!!

Hya

Re: MY FRIEND IS INFECTED !!!

YoKenny

Re: MY FRIEND IS INFECTED !!!

essexboy

Re: MY FRIEND IS INFECTED !!!

DavidR

Re: MY FRIEND IS INFECTED !!!

essexboy

Re: MY FRIEND IS INFECTED !!!

DavidR

Re: MY FRIEND IS INFECTED !!!

CharleyO

Re: MY FRIEND IS INFECTED !!!

Hya

Re: MY FRIEND IS INFECTED !!!

Hya

Re: MY FRIEND IS INFECTED !!!

essexboy

Re: MY FRIEND IS INFECTED !!!

Hya

Re: MY FRIEND IS INFECTED !!!