Jump to content

Trojan reported by AVG not found by MalwareBytes


Recommended Posts

My father has been quietly ignoring alerts from AVG that his computer is infected with a trojan. Looking at his report logs it looks like it's been there since sometime in mid-June.

 

AVG is reporting that the infection is in a file called disk.sys in C:\WINDOWS\Driver Cache\i386\sp2.cab but it unable to clean it or quarantine it (too large?) The only option I'm being given is to remove the files permanently, which makes me nervous. MalwareBytes can't seem to find it at all.

 

dds.txt

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Heather at 20:51:53 on 2013-08-16
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.958.142 [GMT -4:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Western Digital\WD Security\WDDriveAutoUnlock.exe
C:\Program Files\Nuance\PaperPort\pptd40nt.exe
C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ControlCenter4\BrCtrlCntr.exe
C:\Documents and Settings\Heather\Local Settings\Application Data\The Weather Network\WeatherEye.exe
C:\Program Files\ControlCenter4\BrCcUxSys.exe
C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\Western Digital\WD SmartWare\WDBackupEngine.exe
C:\Program Files\Ida\Ida.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank





BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll
uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ida] "c:\program files\ida\IdaLaunch.exe" -tray
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WeatherEye] c:\documents and settings\heather\local settings\application data\the weather network\WeatherEye.exe
uRun: [KSS] "c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe" /autorun
mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [unlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [soundMan] SOUNDMAN.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [WD Drive Unlocker] c:\program files\western digital\wd security\WDDriveAutoUnlock.exe
mRun: [WD Quick View] c:\program files\western digital\wd quick view\WDDMStatus.exe
mRun: [indexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"
mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"
mRun: [PDFHook] c:\program files\nuance\pdf viewer plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf viewer plus\RegistryController.exe
mRun: [ControlCenter4] c:\program files\controlcenter4\BrCcBoot.exe /autorun
mRun: [brStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SYSTEMROOT%\system32\nvLsp.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.


TCP: NameServer = 24.226.1.93 24.226.10.193
TCP: Interfaces\{A5040B11-4AB0-43E8-B723-28E0559EFF09} : DHCPNameServer = 24.226.1.93 24.226.10.193
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\heather\application data\mozilla\firefox\profiles\6ea3gzf7.default\
FF - plugin: c:\program files\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-9-21 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-10-5 94048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-9-13 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-16 5814904]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
R2 KSS;Kaspersky Security Scan Service;c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe [2012-12-7 202328]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2011-8-2 145256]
R2 WDBackup;WD Backup;c:\program files\western digital\wd smartware\WDBackupEngine.exe [2012-9-19 1157056]
R2 WDDriveService;WD Drive Manager;c:\program files\western digital\wd drive manager\WDDriveService.exe [2012-9-6 248248]
R2 WDRulesService;WD Rules;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2012-9-19 1177536]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2013-7-9 266240]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2013-1-22 11520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2012-10-28 23456]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
.
=============== Created Last 30 ================
.
2013-08-16 03:11:47    --------    d-----w-    c:\program files\Kaspersky Lab
2013-08-16 03:11:47    --------    d-----w-    c:\documents and settings\all users\application data\Kaspersky Lab
2013-08-14 00:31:40    --------    d-----w-    c:\documents and settings\heather\application data\Malwarebytes
2013-08-14 00:31:07    --------    d-----w-    c:\documents and settings\heather\application data\ControlCenter4
2013-08-08 01:23:31    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
2013-08-08 01:23:30    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-08-08 01:23:30    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-08-08 01:09:37    216064    ----a-w-    c:\windows\system32\gcapi_dll.dll
.
==================== Find3M  ====================
.
2013-06-29 21:06:18    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-29 21:06:18    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-08 03:55:44    385024    ------w-    c:\windows\system32\html.iec
2013-06-07 21:56:06    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-06-07 21:56:06    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02    562688    ----a-w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ----a-w-    c:\windows\system32\win32k.sys
.
============= FINISH: 20:52:31.59 ===============
 

 

attach.txt

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 27/10/2012 8:22:06 PM
System Uptime: 15/08/2013 11:07:03 PM (21 hours ago)
.
Motherboard:   |  | C51MCP51
Processor: AMD Athlon 64 Processor 3200+ | Socket 939 | 1999/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 250 GiB total, 211.143 GiB free.
E: is CDROM (CDFS)
G: is FIXED (NTFS) - 931 GiB total, 931.174 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP208: 19/05/2013 4:49:06 PM - System Checkpoint
RP209: 20/05/2013 6:35:11 PM - System Checkpoint
RP210: 21/05/2013 9:43:57 PM - System Checkpoint
RP211: 22/05/2013 10:08:19 PM - System Checkpoint
RP212: 23/05/2013 11:06:50 PM - System Checkpoint
RP213: 25/05/2013 2:12:14 PM - System Checkpoint
RP214: 26/05/2013 2:45:05 PM - System Checkpoint
RP215: 27/05/2013 6:43:26 PM - System Checkpoint
RP216: 28/05/2013 8:33:01 PM - System Checkpoint
RP217: 29/05/2013 9:25:49 PM - System Checkpoint
RP218: 30/05/2013 10:12:40 PM - System Checkpoint
RP219: 31/05/2013 11:07:08 PM - System Checkpoint
RP220: 02/06/2013 5:37:27 PM - System Checkpoint
RP221: 03/06/2013 6:00:25 PM - System Checkpoint
RP222: 04/06/2013 6:59:58 PM - System Checkpoint
RP223: 05/06/2013 7:56:15 PM - System Checkpoint
RP224: 06/06/2013 9:16:29 PM - Removed LibreOffice 4.0.2.2
RP225: 06/06/2013 9:22:22 PM - Removed LibreOffice 4.0 Help Pack (English (United Kingdom))
RP226: 07/06/2013 9:57:19 PM - System Checkpoint
RP227: 09/06/2013 8:59:42 PM - System Checkpoint
RP228: 10/06/2013 10:21:19 PM - System Checkpoint
RP229: 12/06/2013 2:37:15 PM - Software Distribution Service 3.0
RP230: 13/06/2013 3:49:52 PM - System Checkpoint
RP231: 14/06/2013 4:55:21 PM - System Checkpoint
RP232: 16/06/2013 11:39:27 AM - System Checkpoint
RP233: 21/06/2013 9:03:08 PM - System Checkpoint
RP234: 23/06/2013 6:55:58 PM - System Checkpoint
RP235: 24/06/2013 7:39:44 PM - System Checkpoint
RP236: 25/06/2013 8:31:03 PM - System Checkpoint
RP237: 26/06/2013 10:34:18 PM - System Checkpoint
RP238: 27/06/2013 10:36:02 PM - System Checkpoint
RP239: 29/06/2013 4:27:17 PM - System Checkpoint
RP240: 30/06/2013 5:03:36 PM - System Checkpoint
RP241: 01/07/2013 6:09:58 PM - System Checkpoint
RP242: 02/07/2013 6:43:49 PM - System Checkpoint
RP243: 03/07/2013 6:47:02 PM - System Checkpoint
RP244: 04/07/2013 8:23:48 PM - System Checkpoint
RP245: 05/07/2013 9:27:14 PM - System Checkpoint
RP246: 07/07/2013 5:47:17 PM - System Checkpoint
RP247: 08/07/2013 6:36:29 PM - System Checkpoint
RP248: 09/07/2013 6:52:02 PM - System Checkpoint
RP249: 09/07/2013 9:20:37 PM - Installed MSXML 4.0 SP3 Parser
RP250: 09/07/2013 9:20:52 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP251: 09/07/2013 9:21:56 PM - Installed Nuance PaperPort 12.
RP252: 09/07/2013 9:24:17 PM - Installed Nuance PDF Viewer Plus.
RP253: 09/07/2013 9:25:30 PM - Installed PaperPort Image Printer.
RP254: 09/07/2013 9:25:42 PM - Printer Driver Nuance Image Printer Driver Installed
RP255: 09/07/2013 9:29:49 PM - Installed Brother Software Suite
RP256: 09/07/2013 9:32:50 PM - Unsigned printer driver Brother PC-FAX v.3 installed.
RP257: 10/07/2013 4:40:15 PM - Software Distribution Service 3.0
RP258: 11/07/2013 1:55:22 PM - Software Distribution Service 3.0
RP259: 12/07/2013 2:18:25 PM - System Checkpoint
RP260: 13/07/2013 6:32:49 PM - System Checkpoint
RP261: 14/07/2013 6:54:52 PM - System Checkpoint
RP262: 15/07/2013 7:03:12 PM - System Checkpoint
RP263: 16/07/2013 7:42:05 PM - System Checkpoint
RP264: 17/07/2013 11:19:00 PM - System Checkpoint
RP265: 19/07/2013 5:52:13 PM - System Checkpoint
RP266: 20/07/2013 7:21:53 PM - System Checkpoint
RP267: 21/07/2013 7:33:01 PM - System Checkpoint
RP268: 22/07/2013 7:40:24 PM - System Checkpoint
RP269: 23/07/2013 10:26:52 PM - System Checkpoint
RP270: 24/07/2013 11:09:44 PM - System Checkpoint
RP271: 25/07/2013 11:18:50 PM - System Checkpoint
RP272: 27/07/2013 12:29:37 PM - System Checkpoint
RP273: 28/07/2013 12:30:20 PM - System Checkpoint
RP274: 29/07/2013 12:41:00 PM - System Checkpoint
RP275: 30/07/2013 4:57:02 PM - System Checkpoint
RP276: 31/07/2013 10:09:45 PM - System Checkpoint
RP277: 01/08/2013 10:34:32 PM - System Checkpoint
RP278: 02/08/2013 11:30:51 PM - System Checkpoint
RP279: 04/08/2013 10:01:30 AM - System Checkpoint
RP280: 05/08/2013 1:07:27 PM - System Checkpoint
RP281: 06/08/2013 5:30:18 PM - System Checkpoint
RP282: 07/08/2013 9:10:12 PM - Printer Driver Foxit Reader PDF Printer Driver Installed
RP283: 08/08/2013 10:28:23 PM - System Checkpoint
RP284: 10/08/2013 9:59:29 AM - System Checkpoint
RP285: 11/08/2013 11:58:28 AM - System Checkpoint
RP286: 12/08/2013 4:34:36 PM - System Checkpoint
RP287: 13/08/2013 9:06:38 PM - System Checkpoint
RP288: 15/08/2013 11:11:39 PM - Installed Kaspersky Security Scan.
.
==== Installed Programs ======================
.
7-Zip 9.22beta
Adobe Flash Player 11 Plugin
AVG 2013
Brother MFL-Pro Suite MFC-J4410DW
DriverAgent by eSupport.com
Enhanced Multimedia Keyboard Solution
Foxit Reader
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Ida
K-Lite Codec Pack 9.4.0 (Standard)
Kaspersky Security Scan
LibreOffice 4.0 Help Pack (English (United Kingdom))
LibreOffice 4.0.3.3
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 SP1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual J# 1.1 Redistributable Package
Microsoft Visual J# 2.0 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Mozilla Firefox 22.0 (x86 en-GB)
Mozilla Maintenance Service
Mozilla Thunderbird 17.0.8 (x86 en-GB)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2758694)
Nuance PaperPort 12
Nuance PDF Viewer Plus
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
PaperPort Image Printer
Picasa 3
Realtek AC'97 Audio
Scansoft PDF Professional
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847-v2)
Security Update for Windows XP (KB2744842)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Software Update for Web Folders
Spybot - Search & Destroy
StudioTax 2012
The Weather Network
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
WD Drive Utilities
WD Security
WD SmartWare
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 8
Windows Management Framework Core
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
16/08/2013 12:08:29 AM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
15/08/2013 9:33:14 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
15/08/2013 9:33:10 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
15/08/2013 11:03:06 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
15/08/2013 11:02:08 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AVGIDSDriver AVGIDSShim Avgldx86 Fips Processor
13/08/2013 9:31:18 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AVGIDSDriver AVGIDSShim Avgldx86 Avgtdix Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip WS2IFSL
13/08/2013 9:31:18 PM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
13/08/2013 9:31:18 PM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
13/08/2013 9:31:18 PM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
13/08/2013 9:31:18 PM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
13/08/2013 9:31:18 PM, error: Service Control Manager [7001]  - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error:  A device attached to the system is not functioning.
13/08/2013 9:30:34 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13/08/2013 7:54:50 PM, error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.
.
==== End Of File ===========================
 

 

Thanks in advance,

 

~ Juniper

Link to post
Share on other sites

Hi MrC,

 

I followed your instructions, double clicked on sp2.cab, selected all of the files, but when I right click the only options I am given are Copy and Extract, no option to do scans with either AVG or MalwareBytes.

 

If I right click on sp2.cab I am given the options to do the scans. MalwareBytes detected nothing. AVG reported the same as before: disk.sys is infected with Generic33.AZPZ, no further details.

 

If I attempt to Copy or Extract disk.sys from sp2.cab AVG detects the Trojan.

Link to post
Share on other sites

Done. Details copied below. (I didn't bother including the names of the 41 scanners that did NOT detect a problem with the file, but MalwareBytes was among them)

 

Analysis:

 

Detection ratio is 5/46

 

AVG                Generic33.AZPZ

ClamAV             Win.Trojan.188280

McAfee             Artemis!D1A535875A70

McAfee-GW-Edition  Artemis!D1A535875A70

nProtect           Trojan/W32.Jorik.36352.J

 

File Detail:

 

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file.
PE signature block
Copyright           © Microsoft Corporation. All rights reserved.
Publisher           Microsoft Corporation
Product             Microsoft® Windows® Operating System
Version             5.1.2600.3368
Original name       scsidisk.sys
Internal name       scsidisk.sys
File version        5.1.2600.3368 (xpsp_sp2_qfe.080507-1250)
Description         PnP Disk Driver
 
File Identification:
 
MD5             d1a535875a7081ca3cb6ac579963da00
SHA1            04d1df9082ad94af3fdfb4f43188a39dcfcb4eb1
SHA256          b355c8eebffdad796311e3027a59552cb25a150b264a7c609fec518d2c3bbb61
ssdeep          768:hKGi15ukBQTDs/Xk+ZOfBIE2FndA3c1/TCJJg2gsVE:hKGi15ukqTIM+ZOfBILddAJJg2gsVE
File size       35.5 KB ( 36352 bytes )
File type       Win32 EXE
Magic literal   PE32 executable for MS Windows (native) Intel 80386 32-bit
 
TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
VirusTotal metadata
First submission     2013-06-17 23:56:27 UTC ( 2 months ago )
Last submission      2013-08-18 03:15:51 UTC ( 8 minutes ago )
File names scsidisk.sys
disk.sys
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.