Memory Chip Virus

View previous topic View next topic Go down

Memory Chip Virus

Post by chupu on 4th February 2009, 6:45 am

Hello, here is my scenario. I have a 4GB Sony MagicGate Memory Stick Pro Duo and I seem to have contracted a virus into it. I highly doubt that the pictures have a virus on it. The files that I have are the "DCIM" folder (where the pictures and videos are), a "MEMSTICK.IND" file (which is locked), "MSTK_PRO.IND" file (also locked) and a "Recycler" folder. Inside the DCIM in my mac I see a folder which later disappears. In my brother's computer the folder does not disappear and it is the folder of my pictures with all my pictures. in the Recycler folder there is a folder named "S-1-5-21-3318671052-061502871-8581524341-500" and inside it there is a "desktop.ini" file and a "~WRL0258.tmp". This "Recycler" folder is what I suspect is the virus folder and I have tried deleting it several times but it keeps on showing up. What should I do? As I mentioned before I am on a Mac.

update 1- I just tried to delete them once again but for the first time in my mac and all of the sudden all the files disappeared.

update 2- I also scanned the whole chip with ClamXav (an antivirus) and it didn't find a virus. Is this just a command malfunction?

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Doctor Inferno on 4th February 2009, 8:23 am

Hey there, welcome to GeekPolice.

Please read [You must be registered and logged in to see this link.] topic and post a HijackThis log here.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 4th February 2009, 10:15 pm

ok so I am on a Mac and can't open .exe files so I used my Windows Parallel program to download hijack this and here's my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:46 PM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Parallels\Parallels Tools\cohrence.exe
C:\windows\system32\svchost.exe
C:\Program Files\Parallels\Parallels Tools\toolsrv.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3G8P88FY\hijackgpthis[1].exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Parallels Tools] C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
O4 - HKLM\..\Run: [SharedInternetApplication] "C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe" /start
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Parallels Coherence Service (cohrence) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\cohrence.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Parallels Tools Utility Service (toolsrv) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\toolsrv.exe

--
End of file - 5243 bytes

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Belahzur on 4th February 2009, 10:22 pm

Hello.
This infection is part of a flash drive infection, so we need you to have the infected flash drive plugged in while we do this, do not unplug it.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE
    O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 6th February 2009, 3:31 am

I followed as instructed and received this log, also it asked for restart but I wanted to post it before i restart it:

Malwarebytes' Anti-Malware 1.33
Database version: 1733
Windows 5.1.2600 Service Pack 2

2/5/2009 5:29:26 PM
mbam-log-2009-02-05 (17-29-26).txt

Scan type: Quick Scan
Objects scanned: 53234
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SVCHOST.INI (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


-------------------------------------------------

update #1- Problem, after I restarted the virtual computer I once again connected my camera to see the pictures and to my surprise they aren't there. luckily the two files I considered to be the dangerous ones were deleted. when I am at the folder where the pictures should be they appear as a blank space and a loading icon has been going for some time now. I know the pictures are there because I can view them on the camera and the chip says it has 3.08GB remaining and it is a 4GB chip

update #2- Thank you very much Geek Police, I restarted the whole computer not just the windows emulator and now I have the picture thanks.

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Belahzur on 6th February 2009, 4:49 pm

Awesome, lets make sure it's gone now.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 13th April 2009, 8:08 pm

sorry for the wait but it still does not work although here is the DDS file as requested:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 10:04:13.46 on Mon 04/13/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.221 [GMT -10:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\Program Files\AVG\AVG8\avgrsx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Parallels\Parallels Tools\cohrence.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Parallels\Parallels Tools\toolsrv.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVGTOOLBAR: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVGTOOLBAR: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Parallels Tools] c:\program files\parallels\parallels tools\ParallelsToolsCenter.exe
mRun: [SharedInternetApplication] "c:\program files\parallels\parallels tools\sia\sharedintapp.exe" /start
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: .psf
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-7-24 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-24 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-24 26824]
R1 PrlNP;PrlNP;c:\windows\system32\drivers\PRLFS.SYS [2008-7-17 138368]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-25 231192]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-24 76040]
R2 cohrence;Parallels Coherence Service;c:\program files\parallels\parallels tools\cohrence.exe [2008-7-17 53346]
R2 prl_paravirt_32;Parallels Paravirtualization Driver;c:\windows\system32\drivers\prl_paravirt_32.sys [2008-7-17 14957]
R2 PrlTime;Parallels Time Synchronization Driver;c:\windows\system32\drivers\prltime.sys [2008-7-17 2550]
R2 toolsrv;Parallels Tools Utility Service;c:\program files\parallels\parallels tools\toolsrv.exe [2008-7-17 90112]
R3 PCITG;PCITG;c:\windows\system32\drivers\pcitg.sys [2008-7-17 15232]
R3 prleth;Parallels Network Adapter;c:\windows\system32\drivers\prleth.sys [2008-7-17 6112]
R3 PrlMouse;Parallels Mouse Synchronization Tool;c:\windows\system32\drivers\PrlMouse.sys [2008-7-17 5341]
R3 PrlVideo;PrlVideo;c:\windows\system32\drivers\PrlVideo.sys [2008-7-17 16384]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2008-7-17 9344]

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 10:04:28.14 ===============

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Belahzur on 13th April 2009, 8:21 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 13th April 2009, 9:08 pm

I did not get a combofix.txt but did get a log:

ComboFix 09-04-13.A2 - Administrator 2009-04-13 11:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.305 [GMT -10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 20:54 . 2008-07-24 18:44 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-13 19:57 . 2008-07-17 22:39 12292 ----a-w C:\.DS_Store
2009-03-06 01:40 . 2008-07-17 21:08 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-07-22 23:37 . 2008-07-17 20:50 68456 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Parallels Tools"="c:\program files\Parallels\Parallels Tools\ParallelsToolsCenter.exe" [2007-12-27 1064960]
"SharedInternetApplication"="c:\program files\Parallels\Parallels Tools\SIA\sharedintapp.exe" [2007-12-27 77824]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-06 167936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\DRIVERS\NtApm.sys [2001-08-17 9344]
S1 PrlNP;PrlNP;c:\windows\system32\DRIVERS\prlfs.sys [2007-12-27 138368]
S2 cohrence;Parallels Coherence Service;c:\program files\Parallels\Parallels Tools\cohrence.exe [2007-12-27 53346]
S2 prl_paravirt_32;Parallels Paravirtualization Driver;c:\windows\system32\drivers\prl_paravirt_32.sys [2007-12-27 14957]
S2 PrlTime;Parallels Time Synchronization Driver;c:\windows\system32\drivers\PrlTime.sys [2007-12-27 2550]
S2 toolsrv;Parallels Tools Utility Service;c:\program files\Parallels\Parallels Tools\toolsrv.exe [2007-12-27 90112]
S3 PCITG;PCITG;c:\windows\system32\drivers\pcitg.sys [2007-12-27 15232]
S3 prleth;Parallels Network Adapter;c:\windows\system32\DRIVERS\prleth.sys [2007-12-27 6112]
S3 PrlMouse;Parallels Mouse Synchronization Tool;c:\windows\system32\DRIVERS\PrlMouse.sys [2007-12-27 5341]
S3 PrlVideo;PrlVideo;c:\windows\system32\DRIVERS\PrlVideo.sys [2007-12-27 16384]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43b0c086-5480-11dd-8f5c-001c42fd645c}]
\Shell\AutoRun\command - E:\d6fagcs8.cmd
\Shell\explore\Command - E:\d6fagcs8.cmd
\Shell\open\Command - E:\d6fagcs8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa208cd0-73bf-11dd-9182-001c42fd645c}]
\Shell\AutoRun\command - F:\MICKEY.exe
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: .psf
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-13 11:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3380)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\program files\Parallels\Parallels Tools\menuhook.sc
.
Completion time: 2009-04-13 11:06
ComboFix-quarantined-files.txt 2009-04-13 21:06

Pre-Run: 11,669,172,224 bytes free
Post-Run: 12,160,987,136 bytes free

92 --- E O F --- 2009-03-06 01:41

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Belahzur on 13th April 2009, 9:15 pm


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43b0c086-5480-11dd-8f5c-001c42fd645c}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa208cd0-73bf-11dd-9182-001c42fd645c}]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Try your camera USB now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 13th April 2009, 9:43 pm

I love geek police. Thank you it worked. I'll recommend you to everyone I meet and need help.

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 15th April 2009, 4:14 am

sometimes I can use it sometimes I can't problem is still not fixed. Sometimes I see the files but they are corrupted and sometimes I can see them but I can only save some to my computer before it just stops working. HEEEELP Indifferent or Blank

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Belahzur on 15th April 2009, 2:24 pm

Hello.
Do you still have Combofix? I want to run it with a custom made script. Before doing this, plug the camera into the USB slot, but do not do anything with it.

Now open a new notepad file.
Input this into the notepad file:

File::
E:\d6fagcs8.cmd
F:\MICKEY.exe

Domains::

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 15th April 2009, 9:26 pm

ComboFix 09-04-13.A2 - Administrator 2009-04-15 11:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.314 [GMT -10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\d6fagcs8.cmd
F:\MICKEY.exe
.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 04:34 . 2009-04-15 04:34 12292 ----a-w c:\windows\system\.DS_Store
2009-04-15 04:34 . 2009-04-15 04:34 24580 ----a-w c:\windows\.DS_Store

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 05:43 . 2008-07-17 22:39 12292 ----a-w C:\.DS_Store
2009-04-15 04:32 . 2009-02-06 03:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 21:44 . 2008-07-17 21:08 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 20:54 . 2008-07-24 18:44 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-07 01:32 . 2009-02-06 03:10 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 01:32 . 2009-02-06 03:10 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 10:19 . 2004-08-04 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-07-22 23:37 . 2008-07-17 20:50 68456 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot_2009-04-14_17.36.29.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-06 03:10 . 2009-04-07 01:32 38496 c:\windows\system32\drivers\mbamswissarmy.sys
- 2009-02-06 03:10 . 2009-01-15 02:11 38496 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-02-06 03:10 . 2009-04-07 01:32 15504 c:\windows\system32\drivers\mbam.sys
- 2009-02-06 03:10 . 2009-01-15 02:11 15504 c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Parallels Tools"="c:\program files\Parallels\Parallels Tools\ParallelsToolsCenter.exe" [2007-12-27 1064960]
"SharedInternetApplication"="c:\program files\Parallels\Parallels Tools\SIA\sharedintapp.exe" [2007-12-27 77824]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-06 167936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\DRIVERS\NtApm.sys [2001-08-17 9344]
S1 PrlNP;PrlNP;c:\windows\system32\DRIVERS\prlfs.sys [2007-12-27 138368]
S2 cohrence;Parallels Coherence Service;c:\program files\Parallels\Parallels Tools\cohrence.exe [2007-12-27 53346]
S2 prl_paravirt_32;Parallels Paravirtualization Driver;c:\windows\system32\drivers\prl_paravirt_32.sys [2007-12-27 14957]
S2 PrlTime;Parallels Time Synchronization Driver;c:\windows\system32\drivers\PrlTime.sys [2007-12-27 2550]
S2 toolsrv;Parallels Tools Utility Service;c:\program files\Parallels\Parallels Tools\toolsrv.exe [2007-12-27 90112]
S3 PCITG;PCITG;c:\windows\system32\drivers\pcitg.sys [2007-12-27 15232]
S3 prleth;Parallels Network Adapter;c:\windows\system32\DRIVERS\prleth.sys [2007-12-27 6112]
S3 PrlMouse;Parallels Mouse Synchronization Tool;c:\windows\system32\DRIVERS\PrlMouse.sys [2007-12-27 5341]
S3 PrlVideo;PrlVideo;c:\windows\system32\DRIVERS\PrlVideo.sys [2007-12-27 16384]

.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-15 11:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3336)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\program files\Parallels\Parallels Tools\menuhook.sc
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
Completion time: 2009-04-15 11:25
ComboFix-quarantined-files.txt 2009-04-15 21:25
ComboFix2.txt 2009-04-15 05:31
ComboFix3.txt 2009-04-15 03:37
ComboFix4.txt 2009-04-13 21:06

Pre-Run: 13,198,901,248 bytes free
Post-Run: 13,190,250,496 bytes free

105 --- E O F --- 2009-04-13 21:46

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Belahzur on 15th April 2009, 9:52 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Any better now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 16th April 2009, 4:08 am

I am now able to see the pictures without them disappearing but when I try to pass them to the computer it says I don't have sufficient privileges. Also now my virtual computer gets stuck and My Documents and My Computer always is not responding.

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by Belahzur on 16th April 2009, 1:29 pm

Sounds like some restrictions have been put on your machine by either you/your parents/malware.

Lemme think about this one.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Memory Chip Virus

Post by chupu on 17th April 2009, 1:05 am

definitely my parents no, I really doubt it was me unless it was on accident most probable malware

chupu
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-02-04
OS OS : Macintosh
Points Points : 28637
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum