windows xp infected with "windows antivirus 2011"

[vyan2000]

Sorry for the slow reply. I got bunch of HW assignments....

It seems like the situation is slightly more complicated:

The system on this machine is a double boot system. The Windows xp is installed first

and then Ubuntu, so the Ubuntu grub will take care of the whole system booting. Consequently,

there is no windows recovery console option in the system booting stage, although

there supposed to be one considering the effort that we have made in the past few days.

Hopefully there are workarounds.

Any suggestion is more than welcome,

Thanks,

Yan

Unfortunately that didn't work as it should. Lets try it a little different.

First repeat the steps below.

1. Restart your computer
   
2. Before Windows loads, you will be prompted to choose which Operating System to start
   
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
   
4. You must enter which Windows installation to log onto. Type 1 and press enter.
   
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
   copy winlogon.exe system32\winlogon.exe
   When asked to overwrite, type Y and press enter.
   
6. The command should then show 1 file(s) copied. At the next prompt type the following bolded text, and press Enter:
   
7. At the next prompt type the following bolded text, and press Enter:
   exit
   

Windows will now begin loading.

Please rerun Combofix and post me the new log.

[Elise]

Don't you see the option after you choose the XP option from the GRUB boot loader menu? After selecting XP and pressing enter, start tapping the up/down arrows.

However, if you can access your windows partition from Ubuntu, you can also do the steps from there:

copy c:\windows\winlogon.exe to c:\windows\system32\winlogon.exe

[vyan2000]

I did see option for XP from the GRUB boot loader. But after selecting XP, I think

I saw something very quickly flashing off, maybe that's the spot. But I am not sure before

I give another try.

I will reply ASAP.

Thanks,

Ryan

Don't you see the option after you choose the XP option from the GRUB boot loader menu? After selecting XP and pressing enter, start tapping the up/down arrows.

However, if you can access your windows partition from Ubuntu, you can also do the steps from there:

copy c:\windows\winlogon.exe to c:\windows\system32\winlogon.exe

[Elise]

just start pressing the arrow keys as soon as you enter XP in Grub.

[vyan2000]

Hi Elise,

Thanks for the help, and here is the log,

Thanks,

Ryan

ComboFix 11-04-03.03 - Administrator -04-04 ??? 12:54:43.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.1013.551 [GMT -4:00]

????: c:\documents and settings\Administrator\??\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( ?????? )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\winlogon.exe

.

.

((((((((((((((((((((((((( 2011-03-04 ? 2011-04-04 ????? )))))))))))))))))))))))))))))))

.

.

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\windows\system32\xircom

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\windows\system32\wbem\snmp

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\windows\system32\oobe

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\program files\microsoft frontpage

2011-04-02 04:14 . 2008-05-09 00:00 493056 ----a-w- c:\windows\system32\winlogon.exe

2011-03-29 17:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-29 17:13 . 2011-03-29 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-29 17:13 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 01:22 . 2011-03-27 01:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-03-27 01:22 . 2011-03-27 01:22 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-03-27 01:20 . 2011-03-27 01:22 -------- d-----w- c:\program files\Symantec

2011-03-27 00:54 . 2011-03-27 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-03-26 20:09 . 2011-03-26 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-03-26 18:02 . 2011-03-26 18:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-25 22:12 . 2011-03-25 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-23 03:21 . 2011-03-23 03:21 -------- d--h--w- c:\windows\PIF

2011-03-21 19:59 . 2011-03-21 19:59 -------- d-----w- c:\documents and settings\Administrator\.globus

2011-03-21 19:59 . 2011-03-21 20:00 -------- d-----w- c:\documents and settings\Administrator\.sshterm

.

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 20:26 . 2010-11-09 23:04 3956 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

.

------- Sigcheck -------

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-03-30_00.39.12 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-04 16:51 . 2011-04-04 16:51 16384 c:\windows\Temp\Perflib_Perfdata_2a4.dat

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]

"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2009-03-27 308720]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-10 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-07 128512]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0220804]

Ime File REG_SZ GOOGLEPINYIN.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv6B8]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]

2009-12-30 23:25 1208832 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-03-03 14:55 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"XLDoctor Services"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Xming\\Xming.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\XLBugReport.exe"=

"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.0.1962_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_2\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"14717:TCP"= 14717:TCP:BitComet 14717 TCP

"14717:UDP"= 14717:UDP:BitComet 14717 UDP

.

R2 KAVSafe;KAVSafe;c:\windows\system32\drivers\KAVSafe.sys [2010-5-1 19:18 60008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-3-26 21:27 102448]

S2 srv6B8;srv6B8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 8:00 14336]

S4 XLDoctor Services;XLDoctor Services;c:\program files\Thunder Network\Thunder\Program\DctSer.exe [2011-3-6 16:30 38704]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv6B8

.

[Elise]

Can you copy both c:\windows\system32\winlogon.exe and c:\windows\explorer.exe from the clean computer to a flashdrive.

Then boot in your Ubuntu partition, access the NTFS (windows) partition, and replace c:\windows\explorer.exe and c:\windows\system32\winlogon.exe with the respective files you copied onto the flashdrive.

After this, reboot in XP, rerun Combofix and post me the new log.

[vyan2000]

Hi,

The file "explorer.exe" on the clean computer seems to be compromised.

Please see below for scan results on explorer.exe.

So where should I locate the alternative on the XP installation copy?

Thanks,

Ryan

File name:

explorer.exe

Submission date:

2011-04-06 14:22:35 (UTC)

Current status:

queued queued analysing finished

Result:

2/ 41 (4.9%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.04.06.02 2011.04.06 -

AntiVir 7.11.5.206 2011.04.06 -

Antiy-AVL 2.0.3.7 2011.04.06 -

Avast 4.8.1351.0 2011.04.06 -

Avast5 5.0.677.0 2011.04.01 -

AVG 10.0.0.1190 2011.04.06 -

BitDefender 7.2 2011.04.06 -

CAT-QuickHeal 11.00 2011.04.06 -

ClamAV 0.97.0.0 2011.04.06 -

Commtouch 5.2.11.5 2011.04.06 -

Comodo 8241 2011.04.06 -

DrWeb 5.0.2.03300 2011.04.06 -

eSafe 7.0.17.0 2011.04.04 -

eTrust-Vet 36.1.8256 2011.04.06 -

F-Prot 4.6.2.117 2011.04.06 -

F-Secure 9.0.16440.0 2011.04.06 -

Fortinet 4.2.254.0 2011.04.06 -

GData 22 2011.04.06 -

Ikarus T3.1.1.103.0 2011.04.06 -

Jiangmin 13.0.900 2011.04.05 -

K7AntiVirus 9.96.4303 2011.04.06 EmailWorm

Kaspersky 7.0.0.125 2011.04.06 -

McAfee 5.400.0.1158 2011.04.06 -

McAfee-GW-Edition 2010.1C 2011.04.06 -

Microsoft 1.6702 2011.04.06 -

NOD32 6019 2011.04.06 -

Norman 6.07.07 2011.04.06 -

Panda 10.0.3.5 2011.04.06 -

PCTools 7.0.3.5 2011.04.04 -

Prevx 3.0 2011.04.06 -

Rising 23.52.02.06 2011.04.06 -

Sophos 4.64.0 2011.04.06 -

SUPERAntiSpyware 4.40.0.1006 2011.04.06 -

Symantec 20101.3.2.89 2011.04.06 -

TheHacker 6.7.0.1.168 2011.04.06 Trojan/Downloader.Geral.ngf

TrendMicro 9.200.0.1012 2011.04.06 -

TrendMicro-HouseCall 9.200.0.1012 2011.04.06 -

VBA32 3.12.14.3 2011.04.06 -

VIPRE 8936 2011.04.06 -

ViRobot 2011.4.6.4396 2011.04.06 -

VirusBuster 13.6.290.0 2011.04.06 -

Can you copy both c:\windows\system32\winlogon.exe and c:\windows\explorer.exe from the clean computer to a flashdrive.

Then boot in your Ubuntu partition, access the NTFS (windows) partition, and replace c:\windows\explorer.exe and c:\windows\system32\winlogon.exe with the respective files you copied onto the flashdrive.

After this, reboot in XP, rerun Combofix and post me the new log.

[Elise]

Don't worry, I think that is a false-positive detection; the scanners detecting it are not something I would trust very much.

If that computer is running fine, you can safely use the files.

[vyan2000]

Hi Elise,

Thanks for the help,

Here is the combofix log after I replace the explorer.exe and winlogon.exe under my Linux OS.

Ryan

ComboFix 11-04-06.01 - Administrator -04-06 ??? 23:33:21.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.1013.522 [GMT -4:00]

????: c:\documents and settings\Administrator\??\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

* ????????

.

.

((((((((((((((((((((((((( 2011-03-07 ? 2011-04-07 ????? )))))))))))))))))))))))))))))))

.

.

2011-04-07 03:29 . 2008-05-09 00:00 493056 ------w- c:\windows\system32\winlogon.exe

2011-04-07 03:28 . 2008-04-14 12:00 978432 ------w- c:\windows\explorer.exe

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\windows\system32\xircom

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\windows\system32\wbem\snmp

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\windows\system32\oobe

2011-04-03 03:18 . 2011-04-03 03:18 -------- d-----w- c:\program files\microsoft frontpage

2011-03-29 17:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-29 17:13 . 2011-03-29 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-29 17:13 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 01:22 . 2011-03-27 01:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-03-27 01:22 . 2011-03-27 01:22 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-03-27 01:20 . 2011-03-27 01:22 -------- d-----w- c:\program files\Symantec

2011-03-27 00:54 . 2011-03-27 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-03-26 20:09 . 2011-03-26 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-03-26 18:02 . 2011-03-26 18:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-25 22:12 . 2011-03-25 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-23 03:21 . 2011-03-23 03:21 -------- d--h--w- c:\windows\PIF

2011-03-21 19:59 . 2011-03-21 19:59 -------- d-----w- c:\documents and settings\Administrator\.globus

2011-03-21 19:59 . 2011-03-21 20:00 -------- d-----w- c:\documents and settings\Administrator\.sshterm

.

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 20:26 . 2010-11-09 23:04 3956 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

.

------- Sigcheck -------

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-03-30_00.39.12 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-07 03:30 . 2011-04-07 03:30 16384 c:\windows\Temp\Perflib_Perfdata_398.dat

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]

"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2009-03-27 308720]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-10 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-07 128512]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0220804]

Ime File REG_SZ GOOGLEPINYIN.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv6B8]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]

2009-12-30 23:25 1208832 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-03-03 14:55 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"XLDoctor Services"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Xming\\Xming.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\XLBugReport.exe"=

"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.0.1962_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_2\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"14717:TCP"= 14717:TCP:BitComet 14717 TCP

"14717:UDP"= 14717:UDP:BitComet 14717 UDP

.

R2 KAVSafe;KAVSafe;c:\windows\system32\drivers\KAVSafe.sys [2010-5-1 19:18 60008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-3-26 21:27 102448]

S2 srv6B8;srv6B8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 8:00 14336]

S4 XLDoctor Services;XLDoctor Services;c:\program files\Thunder Network\Thunder\Program\DctSer.exe [2011-3-6 16:30 38704]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv6B8

.

[Elise]

From within Linux, can you access http://www.virustotal.com and upload c:\windows\system32\winlogon.exe? Its important not to do this from Windows, because if the file is infected, it may mask itself.

Copy/paste the results here, or link me to them.

[vyan2000]

Hi Elise,

Thanks, I will do this ASAP. Hopefully, I do not have this computer infected as well.

Ryan

From within Linux, can you access http://www.virustotal.com and upload c:\windows\system32\winlogon.exe? Its important not to do this from Windows, because if the file is infected, it may mask itself.

Copy/paste the results here, or link me to them.

[Elise]

I don't think so, it looks like a legit copy of the file on first sight.

[vyan2000]

It seems like the server is down: http://www.virustotal.com/

I tried three times and will try it again later today.

Thanks,

Ryan

+++++++++++++++++++++++++++++++++++++++++++++++++++

Server error!

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.

If you think this is a server error, please contact the webmaster.

Error 500

Sat Apr 9 19:14:52 2011 http://www.virustotal.com/

I don't think so, it looks like a legit copy of the file on first sight.

[Elise]

Please use http://www.jotti.org instead. It seems indeed that virustotal is down.

[vyan2000]

Hi Elise,

Here is the link to the scan result.

Thanks, I will try it again with http://www.virustotal.com/ later.

Yan

http://virusscan.jotti.org/en/scanresult/b09ee9b10fad10779ad50ef38cd620abe3cef27c

[Elise]

Hi again, how are things running at this point?

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

• Microsoft:

[vyan2000]

Hi Elise,

Here is the result for VirusTotal on the winlogon.exe, and I did the test in Linux.

http://www.virustotal.com/file-scan/report.html?id=200154b1d95f61bc55b314f7125c57b9b62d86be5129ce8c2ff09b8f8d85f0e5-1302471670

I will post the log on MBAM as soon as it finishes.

Thanks,

Ryan

[vyan2000]

H Elise,

Java has been removed and reinstalled with the newest version.

I have done the full scan by the mbam. The log is as follows,

(Sorry for the inconvenience of reading these characters. The only infection is on the regitry.)

Thanks,

Ryan

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

?????? 6327

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2011-4-10 21:12:59

mbam-log-2011-04-10 (21-12-59).txt

????: ???? (C:\|D:\|E:\|)

?????: 281277

???? 18 ??, 22 ?

?????????? 0

?????????? 0

?????????? 0

?????????? 0

???????????? 1

????????? 0

???????? 0

??????????

(??????????

??????????

(??????????

??????????

(??????????

??????????

(??????????

????????????

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Administrator\Local Settings\Application Data\uos.exe"

[Elise]

Hi, no worries, I know whats supposed to be there.

Do you have any problem left?

Lets run one last scan for leftovers.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       Note - when ESET doesn't find any threats, no report will be created.
       
   12. Push the button.
       
   13. Push
       
       

[vyan2000]

Hi Elise,

Here is the log for ESET.

Thanks,

Ryan

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\5707e40f-38774f4c Java/TrojanDownloader.OpenConnection.CU trojan deleted - quarantined

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\4\73af3104-11af51a9 a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined

D:\Download\AutoCAD2010\AutoCAD???\xf-a2010-64bits.rar a variant of Win32/Keygen.BL application deleted - quarantined

D:\Download\AutoCAD2010\AutoCAD???\xf-a2010-32bits.rar a variant of Win32/Keygen.BL application deleted - quarantined

[Elise]

Hi again, those were just some leftovers, which means you're good to go.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

• Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    
  • Rerun OTL and click the Cleanup button. This will remove all logs and tools we used.
    

Please read these advices, in order to prevent reinfecting your PC:

1. Install and update the following programs regularly:
   • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
     A comprehensive tutorial and a list of possible firewalls can be found here.
     
   • an AntiVirus Software
     It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
     
   • an Anti-Spyware program
     Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
     SUPERAntiSpyware is another good scanner with high detection and removal rates.
     Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
     
   • Spyware Blaster
     A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
     

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

• Miekies' prevention suggestions
  
• So How did I get infected?
  
• Microsoft - 'Security at home'
  
• Calendar of Updates: See which updates have been released.
  
• How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
  
• Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
  
• osalt: Find (free) open source alternatives to known commercial software.

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

[vyan2000]

Hi Elise,

Thanks a lot for your help, which saves my computer a re-install and more

importantly, saves me a lot time.

I will keep your suggestions in mind in the future.

Best Regards,

Ryan

[Elise]

You are most welcome Ryan.

I will request this topic to be closed.

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.