-
Posts
15 -
Joined
-
Last visited
Reputation
0 NeutralAbout vladmir
- Birthday 11/05/1981
Contact Methods
-
Website URL
http://
-
ICQ
0
Recent Profile Visitors
2,760 profile views
-
Update: This laptop does not have internet access for now, so i wont be able to do online scans, but will have to download the update database manually. Also, this has XP pro SP2 installed. There is no autorun.inf infection happening, as i checked by inserting pendrives in the usb ports, everything came up clean. So i dont know what this fbqjhw.exe is doing. Thanks for all your hard work in helping us. In the mean time, i will scan with Avira and AVG bootscan rescue CD's and will keep you updated. Please tell me what else you would like from me.
-
Hi guys, here's the situation. Got a friends laptop, had viruses, removed most of them with Mbam + SAS + Combofix. Just 1 remains. It might be a rootkit. Mbam detects it, deletes it, it comes back up again. In normal and safe mode. System restore is already turned off, dosent help. Heres the log of MBAM: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4125 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 7/22/2010 8:18:07 AM mbam-log-2010-07-22 (08-18-07).txt Scan type: Quick scan Objects scanned: 13655 Time elapsed: 1 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (regedit.exe %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HIjackthis Log is more clear, it identifies the file as F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\fbqjhw.exe, Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:32:02 PM, on 7/22/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASTSRV.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Genesys Logic PC Camera Device\GenePccMon.exe C:\Program Files\USB Disk Security\USBGuard.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\fbqjhw.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys Logic PC Camera Device\GenePccMon.exe O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [SpeedX] C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Netbooster Client\Client\ventc.exe -- End of file - 4866 bytes Guys, help please!! EDit: Some more info. it looks like its this one: http://www.prevx.com/filenames/X1125429822...FBQJHW.EXE.html Its funny that the prevx website lists this one as originating in the UK, because until a couple of weeks, this laptop was in the Uk. Now its back in India.
-
signed up, awesome.
-
Never heard of the company before today. wow, you learn something new everyday.
-
Is Malwarebytes enough? Or do I need AV as well
vladmir replied to Anthony H's topic in Malwarebytes for Windows
The bootable rescue CD from Dr.Web and Avira also work well in my experience. -
Not part of the staff either, glad to see your support of this excellent product.
-
Is Malwarebytes enough? Or do I need AV as well
vladmir replied to Anthony H's topic in Malwarebytes for Windows
Also very effective and free utility that i recommend is Panda USB Vaccine Its available for free download, link below. Source: http://www.pandasecurity.com/homeusers/downloads/usbvaccine/ -
Is Malwarebytes enough? Or do I need AV as well
vladmir replied to Anthony H's topic in Malwarebytes for Windows
I actually also have disabled autorun on all my drives. Very effective in preventing malware from automatically running from infected USB drives. Source: http://www.publicsafety.gc.ca/prg/em/ccirc...08-004-eng.aspx -
Is Malwarebytes enough? Or do I need AV as well
vladmir replied to Anthony H's topic in Malwarebytes for Windows
Yesh, i use that on my PC's as well. I dig the idea that it creates AUTORUN.INF folders in all your disk drives, and removable drives, that cant be deleted even if you do a Shift+Del. Also, DefenseWall 2.56 has default settings to run ALL usb drives as 'untrusted', so thats awesome. -
Is Malwarebytes enough? Or do I need AV as well
vladmir replied to Anthony H's topic in Malwarebytes for Windows
1 word: HIPS(Host Intrusion Prevention System). I recommend DefenseWall or GesWall. Appguard, Prevx Edge, and Malware defender are good too) They are the future man!!