Jump to content

OCTurbine

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by OCTurbine

  1. Good news, Mr. Chalee: Kaspersky TDSSKiller reports "No threats found." I appreciate your assistance. I'll run TDSSKiller periodically on my own systems, and will recommend it to my friends. I'll also try to find out why MS Security Essentials didn't detect the Trojan.Ransom.Gen when it was pushed to the laptop in question. Nice-looking dogs.
  2. Thanks for your reply, MrC. Here's the output of RogueKiller. I copied and pasted from the text file created by RK after I last ran it: RogueKiller V8.0.4 [09/19/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Andy [Admin rights] Mode : Scan -- Date : 09/22/2012 10:51:14 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 13 ¤¤¤ [HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\Windows\Installer\{f155b85a-2c95-0ef8-5a24-11478d872d34}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Windows\Installer\{f155b85a-2c95-0ef8-5a24-11478d872d34}\L --> FOUND [ZeroAccess][FILE] @ : C:\Users\Andy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\@ --> FOUND [ZeroAccess][FOLDER] U : C:\Users\Andy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Users\Andy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\L --> FOUND ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BPVT-24HXZT3 ATA Device +++++ --- User --- [MBR] 827f867b506c5053f3bd9a475507ae61 [bSP] 2789fe94f9d61be91673cd426a557e25 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 452353 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 926828544 | Size: 24387 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: Sony Storage Media USB Device +++++ --- User --- [MBR] 8d2f0b46608a6efebe70e59febe7e9f1 [bSP] 397f8d0a5c6094c0652366d6485dc9fb : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 32 | Size: 7628 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1].txt >>
  3. (Oops; misposted in the General Forum.) Howdy, y'all, One of my neighbors has an HP laptop running Win 7 Pro SP1 x64. Somehow it became infected with the Trojan.Ransom virus that took control of the machine and demanded "200$" from the "FBI" because of "illegal" downloading, etc. I ran the Windows Defender Offline utility in full-scan mode from a bootable USB stick. WDO didn't seem to work the first time; I ran it again, followed by a full scan with MBAM with the latest signatures. MBAM reported 0 objects detected. I then ran RogueKiller that detected ZeroAccess, but registry entries and folders and files only. Lastly, I ran Gmer that found Bluetooth registry entries only, but didn't actually name a virus. Here's the output from RogueKiller: ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 13 ¤¤¤ [HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\Windows\Installer\{f155b85a-2c95-0ef8-5a24-11478d872d34}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Windows\Installer\{f155b85a-2c95-0ef8-5a24-11478d872d34}\L --> FOUND [ZeroAccess][FILE] @ : C:\Users\Lindy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\@ --> FOUND [ZeroAccess][FOLDER] U : C:\Users\Lindy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Users\Lindy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\L --> FOUND ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ Gmer's output: ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef@0007e034c3ea 0x69 0x10 0xBB 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef@001a45fe6925 0xD1 0x86 0xFD 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef@0007ab308052 0xE6 0xF9 0x4D 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef@0007e034c3ea 0x69 0x10 0xBB 0x3A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef@001a45fe6925 0xD1 0x86 0xFD 0x6E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef@0007ab308052 0xE6 0xF9 0x4D 0xAE ... ---- EOF - GMER 1.0.15 ---- Can I manually delete everything that is reported here? Otherwise, the system is operating as expected. I discovered an older Java JRE that's known to be vulnerable, so I uninstalled it. And I installed all of the pending Windows critical updates, including the latest Cumulative Update for IE8 discussed in Security Bulletin MS12-063. Thanks for your suggestions.
  4. Howdy, y'all, One of my neighbors has an HP laptop running Win 7 Pro SP1 x64. Somehow it became infected with the Trojan.Ransom virus that took control of the machine and demanded "200$" from the "FBI" because of "illegal" downloading, etc. I ran the Windows Defender Offline utility in full-scan mode from a bootable USB stick. WDO didn't seem to work the first time; I ran it again, followed by a full scan with MBAM with the latest signatures. MBAM reported 0 objects detected. I then ran RogueKiller that detected ZeroAccess, but registry entries and folders and files only. Lastly, I ran Gmer that found Bluetooth registry entries only, but didn't actually name a virus. Here's the output from RogueKiller: ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 13 ¤¤¤ [HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\Windows\Installer\{f155b85a-2c95-0ef8-5a24-11478d872d34}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Windows\Installer\{f155b85a-2c95-0ef8-5a24-11478d872d34}\L --> FOUND [ZeroAccess][FILE] @ : C:\Users\Lindy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\@ --> FOUND [ZeroAccess][FOLDER] U : C:\Users\Lindy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Users\Lindy\AppData\Local\{f155b85a-2c95-0ef8-5a24-11478d872d34}\L --> FOUND ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ Gmer's output: ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef@0007e034c3ea 0x69 0x10 0xBB 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef@001a45fe6925 0xD1 0x86 0xFD 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ecefef@0007ab308052 0xE6 0xF9 0x4D 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef@0007e034c3ea 0x69 0x10 0xBB 0x3A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef@001a45fe6925 0xD1 0x86 0xFD 0x6E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001060ecefef@0007ab308052 0xE6 0xF9 0x4D 0xAE ... ---- EOF - GMER 1.0.15 ---- Can I manually delete everything that is reported here? Otherwise, the system is operating as expected. I discovered an older Java JRE that's known to be vulnerable, so I uninstalled it. And I installed all of the pending Windows critical updates, including the latest Cumulative Update for IE8 discussed in Security Bulletin MS12-063. Thanks for your suggestions.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.