-
Posts
15 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by vladmir
-
-
HI BORISLAV, GUESS WHAT, I INSTALLED AVAST! INTERNET SECURITY TRIAL, IT DETECTED AND DELETED THE TROJAN, THEN MBAM CAME IN, THEN HIJACKTHIS CONFIRMED THAT IT IS GONE.
PC IS CLEAN! THANKS FOR YOUR HELP.
THIS TOPIC CAN NOW BE CLOSED.
-
-
Update: This laptop does not have internet access for now, so i wont be able to do online scans, but will have to download the update database manually.
Also, this has XP pro SP2 installed. There is no autorun.inf infection happening, as i checked by inserting pendrives in the usb ports, everything came up clean. So i dont know what this fbqjhw.exe is doing.
Thanks for all your hard work in helping us.
In the mean time, i will scan with Avira and AVG bootscan rescue CD's and will keep you updated.
Please tell me what else you would like from me.
-
Hi guys,
here's the situation. Got a friends laptop, had viruses, removed most of them with Mbam + SAS + Combofix.
Just 1 remains.
It might be a rootkit.
Mbam detects it, deletes it, it comes back up again.
In normal and safe mode.
System restore is already turned off, dosent help.
Heres the log of MBAM:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4125
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
7/22/2010 8:18:07 AM
mbam-log-2010-07-22 (08-18-07).txt
Scan type: Quick scan
Objects scanned: 13655
Time elapsed: 1 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (regedit.exe %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)HIjackthis Log is more clear, it identifies the file as
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\fbqjhw.exe,
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:32:02 PM, on 7/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Genesys Logic PC Camera Device\GenePccMon.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\fbqjhw.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys Logic PC Camera Device\GenePccMon.exe
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [SpeedX] C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Netbooster Client\Client\ventc.exe
--
End of file - 4866 bytesGuys, help please!!
EDit:
Some more info. it looks like its this one:
http://www.prevx.com/filenames/X1125429822...FBQJHW.EXE.html
Its funny that the prevx website lists this one as originating in the UK, because until a couple of weeks, this laptop was in the Uk.
Now its back in India.
-
signed up, awesome.
-
Never heard of the company before today. wow, you learn something new everyday.
-
Yea, that bypasses the exefile hijack. So does a BartPE CD. Which one I choose depends on what I'm doing (BartPE CD's don't work too well on the helpdesk).
The bootable rescue CD from Dr.Web and Avira also work well in my experience.
-
Not part of the staff either, glad to see your support of this excellent product.
-
Also very effective and free utility that i recommend is Panda USB Vaccine
Its available for free download, link below.
Source:
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
Panda USB Vaccine is a free solution designed to protect against this threat. It offers a double layer of preventive protection, allowing users to disable the AutoRun feature on computers as well as on USB drives and other devices:Vaccine for computers: This is a
-
So I find free alternatives that work for me like Autorun Eater from Old McDonald's Farm and Outpost Firewall Free:
I actually also have disabled autorun on all my drives. Very effective in preventing malware from automatically running from infected USB drives.
Source:
http://www.publicsafety.gc.ca/prg/em/ccirc...08-004-eng.aspx
To block all autorun.inf files from executing, which can be applied as a global policy by changing the registry keys, perform the following step:1. Start Notepad.
2. Copy the following text below and paste it into Notepad. Everything between the square brackets should be on one line.
3.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
4. Save the file with the name NoAutoRun.reg. Make sure to include the .reg extension.
5. Right click on your .reg file and choose "Merge". Confirm any warning prompts to add the information to the registry. Alternately, you can use the following command "REG IMPORT NoAutoRun.reg".
6. Restart computer.
Changing this registry key will prevent any part of the autorun.inf file to execute, even if the computer has seen the device before the registry change and has it cached in the MountPoint2 key. It also disables the autorun features without causing other negative side effects
-
+ an USB security soft to block any threats via USB drive.
My choice is USB Disk Security.
Yesh, i use that on my PC's as well. I dig the idea that it creates AUTORUN.INF folders in all your disk drives,
and removable drives, that cant be deleted even if you do a Shift+Del.
Also, DefenseWall 2.56 has default settings to run ALL usb drives as 'untrusted', so thats awesome.
-
1 word: HIPS(Host Intrusion Prevention System).
I recommend DefenseWall or GesWall.
Appguard, Prevx Edge, and Malware defender are good too)
They are the future man!!
Heads Up! MBAM cant delete a trojan. Keeps coming back from the dead!
in Resolved Malware Removal Logs
Posted
Thanks again, i did not want to waste your time analyzing the logs, as the cleanup is 100%. For now. lol.
Your time and help is precious, and should be freed up to address the other serious infections in this forum!