[Resolved] infected computer
-
[Resolved] infected computer
Hi, I,ve got a virus problem with my daughters computer that I hope you can help with.
She said a friend sent her an mp3 by e-mail, and when she opened it it infected her computer.
On the desktop is a warning that it is infected and a virus scan ( from the infection ) starts up and tells you to activate the programme. It will not let me open any files, I,ve tried to get on the internet but it just gives the message warning your computer is infected with spy ware application cannot be executed the file is infected.
I have tried to format the drive but cannot get into dos.
I was thinking of putting it as a slave hard drive in another machine and wiping it clean that way, is this possible?
it has got virgins pc gaurd but it has been taken over.
it is an xp home sp3.
-
Using working computer...
Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
Post scans results.
-
thanks for the post.but as i mentioned, the virus will not let me open firefox or any other programs. update, i have taken the hard drive out and put it as a slave in another machine, and at the moment i am doing a virus scan using virgins pc guard
-
It may be important to your other computer security.
Since you slaved the drive....
Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
Post scans results.
-
Hi Broni, my pc guard did not find anything but here are the results from virus total.
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.31 -
AhnLab-V3 5.0.0.2 2009.07.31 -
AntiVir 7.9.0.238 2009.07.31 -
Antiy-AVL 2.0.3.7 2009.07.31 -
Authentium 5.1.2.4 2009.07.31 -
Avast 4.8.1335.0 2009.07.31 -
AVG 8.5.0.406 2009.07.31 -
BitDefender 7.2 2009.08.01 -
CAT-QuickHeal 10.00 2009.07.30 -
ClamAV 0.94.1 2009.08.01 -
Comodo 1831 2009.08.01 -
DrWeb 5.0.0.12182 2009.08.01 -
eSafe 7.0.17.0 2009.07.30 -
eTrust-Vet 31.6.6650 2009.08.01 -
F-Prot 4.4.4.56 2009.07.31 -
F-Secure 8.0.14470.0 2009.07.31 -
Fortinet 3.120.0.0 2009.08.01 -
GData 19 2009.08.01 -
Ikarus T3.1.1.64.0 2009.07.31 -
Jiangmin 11.0.800 2009.07.31 -
K7AntiVirus 7.10.807 2009.07.31 -
Kaspersky 7.0.0.125 2009.08.01 -
McAfee 5694 2009.07.31 -
McAfee+Artemis 5694 2009.07.31 -
McAfee-GW-Edition 6.8.5 2009.08.01 Heuristic.LooksLike.Trojan.Drop.Mudrop.K
Microsoft 1.4903 2009.08.01 -
NOD32 4295 2009.07.31 -
Norman 6.01.09 2009.07.31 -
nProtect 2009.1.8.0 2009.08.01 -
Panda 10.0.0.14 2009.07.31 -
PCTools 4.4.2.0 2009.07.31 -
Prevx 3.0 2009.08.01 -
Rising 21.40.44.00 2009.07.31 -
Sophos 4.44.0 2009.08.01 -
Sunbelt 3.2.1858.2 2009.07.31 -
Symantec 1.4.4.12 2009.08.01 -
TheHacker 6.3.4.3.375 2009.08.01 -
TrendMicro 8.950.0.1094 2009.07.31 -
VBA32 3.12.10.9 2009.07.31 -
ViRobot 2009.7.31.1863 2009.07.31 -
VirusBuster 4.6.5.0 2009.07.31 -
Additional information
File size: 1033728 bytes
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e686 2c5e26885ef455
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1A55F
timedatestamp.....: 0x48025C30 (Sun Apr 13 21:17:04 2008)
machinetype.......: 0x14C (Intel I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44C09 0x44E00 6.38 fd89c9ce334764ffdbb62637ad9b5809
.data 0x46000 0x1DB4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 0x48000 0xB2268 0xB2400 6.63 95339c37646fa93e3695e06572a21889
.reloc 0xFB000 0x374C 0x3800 6.78 ec335057489badbf6d8142b57175fd91
( 0 imports )
( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: ThreatExpert Report
ssdeep: 12288:HHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:nmfty/wAvN7lrvbkf8w0VnH1/g/J/k
PEiD : -
RDS : NSRL Reference Data Set
-
File svchost.exe received on 2009.08.02 01:58:56 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.01 -
AhnLab-V3 5.0.0.2 2009.08.01 -
AntiVir 7.9.0.238 2009.07.31 -
Antiy-AVL 2.0.3.7 2009.07.31 -
Authentium 5.1.2.4 2009.08.01 -
Avast 4.8.1335.0 2009.08.01 -
AVG 8.5.0.406 2009.08.01 -
BitDefender 7.2 2009.08.02 -
CAT-QuickHeal 10.00 2009.07.30 -
ClamAV 0.94.1 2009.08.01 -
Comodo 1836 2009.08.01 -
DrWeb 5.0.0.12182 2009.08.02 -
eSafe 7.0.17.0 2009.07.30 -
eTrust-Vet 31.6.6650 2009.08.01 -
F-Prot 4.4.4.56 2009.08.01 -
F-Secure 8.0.14470.0 2009.08.01 -
Fortinet 3.120.0.0 2009.08.01 -
GData 19 2009.08.02 -
Ikarus T3.1.1.64.0 2009.08.01 -
Jiangmin 11.0.800 2009.08.01 -
K7AntiVirus 7.10.808 2009.08.01 -
Kaspersky 7.0.0.125 2009.08.02 -
McAfee 5695 2009.08.01 -
McAfee+Artemis 5695 2009.08.01 -
McAfee-GW-Edition 6.8.5 2009.08.02 -
Microsoft 1.4903 2009.08.02 -
NOD32 4297 2009.08.01 -
Norman 6.01.09 2009.07.31 -
nProtect 2009.1.8.0 2009.08.01 -
Panda 10.0.0.14 2009.08.01 -
PCTools 4.4.2.0 2009.08.01 -
Prevx 3.0 2009.08.02 -
Rising 21.40.44.00 2009.07.31 -
Sophos 4.44.0 2009.08.02 -
Sunbelt 3.2.1858.2 2009.08.02 -
Symantec 1.4.4.12 2009.08.02 -
TheHacker 6.3.4.3.375 2009.08.01 -
TrendMicro 8.950.0.1094 2009.07.31 -
VBA32 3.12.10.9 2009.08.02 -
ViRobot 2009.7.31.1863 2009.07.31 -
VirusBuster 4.6.5.0 2009.07.31 -
Additional information
File size: 14336 bytes
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f 3fb1b6c613cdd5
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2509
timedatestamp.....: 0x48025BC0 (Sun Apr 13 21:15:12 2008)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2C00 0x2C00 6.29 f6589e1ed3da6afefb0b4294d9ff7f2e
.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2
.rsrc 0x5000 0x408 0x600 2.51 dcede0c303bbb48c6875eb64477e5882
( 0 imports )
( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: ThreatExpert Report
ssdeep: 384:IDvi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:INc G6xlCRaJKGOA7SHJ
PEiD : -
RDS : NSRL Reference Data Set
File userinit.exe received on 2009.08.01 12:34:49 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.31 -
AhnLab-V3 5.0.0.2 2009.08.01 -
AntiVir 7.9.0.238 2009.07.31 -
Antiy-AVL 2.0.3.7 2009.07.31 -
Authentium 5.1.2.4 2009.07.31 -
Avast 4.8.1335.0 2009.07.31 -
AVG 8.5.0.406 2009.08.01 -
BitDefender 7.2 2009.08.01 -
CAT-QuickHeal 10.00 2009.07.30 -
ClamAV 0.94.1 2009.08.01 -
Comodo 1835 2009.08.01 -
DrWeb 5.0.0.12182 2009.08.01 -
eSafe 7.0.17.0 2009.07.30 -
eTrust-Vet 31.6.6650 2009.08.01 -
F-Prot 4.4.4.56 2009.07.31 -
F-Secure 8.0.14470.0 2009.07.31 -
Fortinet 3.120.0.0 2009.08.01 -
GData 19 2009.08.01 -
Ikarus T3.1.1.64.0 2009.07.31 -
Jiangmin 11.0.800 2009.08.01 -
K7AntiVirus 7.10.808 2009.08.01 -
Kaspersky 7.0.0.125 2009.08.01 -
McAfee 5694 2009.07.31 -
McAfee+Artemis 5694 2009.07.31 -
McAfee-GW-Edition 6.8.5 2009.08.01 -
Microsoft 1.4903 2009.08.01 -
NOD32 4295 2009.07.31 -
Norman 6.01.09 2009.07.31 -
nProtect 2009.1.8.0 2009.08.01 -
Panda 10.0.0.14 2009.08.01 -
PCTools 4.4.2.0 2009.07.31 -
Prevx 3.0 2009.08.01 -
Rising 21.40.44.00 2009.07.31 -
Sophos 4.44.0 2009.08.01 -
Sunbelt 3.2.1858.2 2009.07.31 -
Symantec 1.4.4.12 2009.08.01 -
TheHacker 6.3.4.3.375 2009.08.01 -
TrendMicro 8.950.0.1094 2009.07.31 -
VBA32 3.12.10.9 2009.08.01 -
ViRobot 2009.7.31.1863 2009.07.31 -
VirusBuster 4.6.5.0 2009.07.31 -
Additional information
File size: 26112 bytes
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
SHA256: 944cd2135e171af338352568aa7fe1b8004733a4281395ad67 23e0cf43d5f53f
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x54AD
timedatestamp.....: 0x480251A8 (Sun Apr 13 20:32:08 2008)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x520E 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
.data 0x7000 0x14C 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
.rsrc 0x8000 0xB50 0xC00 3.27 bac832e39f87c4f5f640e5d5c6a1c2fc
( 0 imports )
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: ThreatExpert Report
ssdeep: 768:0RMJi8jDLIDSAaQFxfftjaLacmkLGKOq:0RMJbDMDSA7Fx ffJaLaSLG9q
PEiD : -
RDS : NSRL Reference Data Set
-
-
Good news from those scans.
What's your progress on slave drive?
-
nothing showed up on the anti virus and i still have the h/d slaved into another computer, that,s how i managed to upload the files to virus total
-
Why don't you put the drive back into original computer, and we'll run some scans from there?
Any problem with internet connection on original machine?
-
the drive is the master from the original machine and when it was in i could not open any programes and could not get onto the internet, it is only because i have slaved it to another machine i can upload the files for virus total, i presume all i have done is let virus total check the files and that the infection is still on the h/d, if that is the case if i put it back in the original machine i wont be able to access the internet.
-
I see.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
