Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32/Patched.gb - Random redirecting in all browsers

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32/Patched.gb - Random redirecting in all browsers

Unread postby MickeyKnox » January 20th, 2011, 1:30 pm

Good evening!
This is my first and hopefully last thread here.
Sorry if my english ain't that good - now for my problem and my logs.
Yesterday my browsers started acting weird - I had random redirecting and the computer being slow.
After a quick scan with Malwarebytes and a quick look using msconfig I noticed something was wrong. I saw some random files with strange names being autostarted.
I installed the free version of AVG and it found out that explorer.exe was infected with the Win32/patched.gb.

Theese are my HiJackThis-logs. Would be eternally greatful for any help I could get! :)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:19:36, on 2011-01-20
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\TosHdpProc.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Documents and Settings\Magnus o Annelie\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Magnus o Annelie\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Magnus o Annelie\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Magnus o Annelie\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Magnus o Annelie\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Program\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstall ... 0gtNElKTUg"&"inst=NzctNTMyNjMxMjM3"&"prod=90"&"ver=10.0.1187
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BankID säkerhetsprogram.lnk = C:\Program\Personal\bin\Personal.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe
O23 - Service: Fujitsu Diagnostic Testhandler (TestHandler) - Fujitsu Technology Solutions - C:\Program\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 5535 bytes

-----------------------------------------------------------------------------------------

µTorrent
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Baldur's Gate(TM) II - Throne of Bhaal (TM)
BankID säkerhetsprogram 4.10.4
Bejeweled 3
Bluetooth Stack for Windows by Toshiba
CDisplay 1.8
Foxit Reader
Fujitsu Hotkey Utility
Fujitsu System Extension Utility
Fujitsu System Extension Utility
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 22
KONICA MINOLTA magicolor 2400W
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIRC
Mozilla Firefox (3.6.10)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PokerStars
Realtek High Definition Audio Driver
Rootkit Unhooker LE 3.8 SR 2
Samsung New PC Studio
Samsung New PC Studio
SAMSUNG USB Driver for Mobile Phones
Segoe UI
Snabbkorrigering för Windows Media Player 11 (KB939683)
Snabbkorrigering för Windows XP (KB2158563)
Snabbkorrigering för Windows XP (KB2443685)
Snabbkorrigering för Windows XP (KB952287)
Snabbkorrigering för Windows XP (KB981793)
Spotify
Steam
SUPERAntiSpyware
Svenska Spels Poker
Synaptics Pointing Device Driver
SystemDiagnostics
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB2183461)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB2360131)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB2416400)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB971961)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB981332)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB982381)
Säkerhetsuppdatering för Windows Media Player (KB2378111)
Säkerhetsuppdatering för Windows Media Player (KB952069)
Säkerhetsuppdatering för Windows Media Player (KB954155)
Säkerhetsuppdatering för Windows Media Player (KB973540)
Säkerhetsuppdatering för Windows Media Player (KB975558)
Säkerhetsuppdatering för Windows Media Player (KB978695)
Säkerhetsuppdatering för Windows Media Player (KB979402)
Säkerhetsuppdatering för Windows Media Player 11 (KB954154)
Säkerhetsuppdatering för Windows XP (KB2079403)
Säkerhetsuppdatering för Windows XP (KB2115168)
Säkerhetsuppdatering för Windows XP (KB2121546)
Säkerhetsuppdatering för Windows XP (KB2160329)
Säkerhetsuppdatering för Windows XP (KB2229593)
Säkerhetsuppdatering för Windows XP (KB2259922)
Säkerhetsuppdatering för Windows XP (KB2279986)
Säkerhetsuppdatering för Windows XP (KB2286198)
Säkerhetsuppdatering för Windows XP (KB2296011)
Säkerhetsuppdatering för Windows XP (KB2296199)
Säkerhetsuppdatering för Windows XP (KB2347290)
Säkerhetsuppdatering för Windows XP (KB2360937)
Säkerhetsuppdatering för Windows XP (KB2387149)
Säkerhetsuppdatering för Windows XP (KB2419632)
Säkerhetsuppdatering för Windows XP (KB2423089)
Säkerhetsuppdatering för Windows XP (KB2436673)
Säkerhetsuppdatering för Windows XP (KB2440591)
Säkerhetsuppdatering för Windows XP (KB2443105)
Säkerhetsuppdatering för Windows XP (KB923561)
Säkerhetsuppdatering för Windows XP (KB941569)
Säkerhetsuppdatering för Windows XP (KB946648)
Säkerhetsuppdatering för Windows XP (KB950760)
Säkerhetsuppdatering för Windows XP (KB950762)
Säkerhetsuppdatering för Windows XP (KB950974)
Säkerhetsuppdatering för Windows XP (KB951376-v2)
Säkerhetsuppdatering för Windows XP (KB951748)
Säkerhetsuppdatering för Windows XP (KB952004)
Säkerhetsuppdatering för Windows XP (KB952954)
Säkerhetsuppdatering för Windows XP (KB954459)
Säkerhetsuppdatering för Windows XP (KB956572)
Säkerhetsuppdatering för Windows XP (KB956744)
Säkerhetsuppdatering för Windows XP (KB956802)
Säkerhetsuppdatering för Windows XP (KB956803)
Säkerhetsuppdatering för Windows XP (KB956844)
Säkerhetsuppdatering för Windows XP (KB958644)
Säkerhetsuppdatering för Windows XP (KB958869)
Säkerhetsuppdatering för Windows XP (KB959426)
Säkerhetsuppdatering för Windows XP (KB960803)
Säkerhetsuppdatering för Windows XP (KB960859)
Säkerhetsuppdatering för Windows XP (KB961501)
Säkerhetsuppdatering för Windows XP (KB969059)
Säkerhetsuppdatering för Windows XP (KB970430)
Säkerhetsuppdatering för Windows XP (KB971657)
Säkerhetsuppdatering för Windows XP (KB972270)
Säkerhetsuppdatering för Windows XP (KB973507)
Säkerhetsuppdatering för Windows XP (KB973869)
Säkerhetsuppdatering för Windows XP (KB973904)
Säkerhetsuppdatering för Windows XP (KB974112)
Säkerhetsuppdatering för Windows XP (KB974318)
Säkerhetsuppdatering för Windows XP (KB974392)
Säkerhetsuppdatering för Windows XP (KB974571)
Säkerhetsuppdatering för Windows XP (KB975025)
Säkerhetsuppdatering för Windows XP (KB975467)
Säkerhetsuppdatering för Windows XP (KB975560)
Säkerhetsuppdatering för Windows XP (KB975562)
Säkerhetsuppdatering för Windows XP (KB975713)
Säkerhetsuppdatering för Windows XP (KB977816)
Säkerhetsuppdatering för Windows XP (KB977914)
Säkerhetsuppdatering för Windows XP (KB978037)
Säkerhetsuppdatering för Windows XP (KB978338)
Säkerhetsuppdatering för Windows XP (KB978542)
Säkerhetsuppdatering för Windows XP (KB978601)
Säkerhetsuppdatering för Windows XP (KB978706)
Säkerhetsuppdatering för Windows XP (KB979309)
Säkerhetsuppdatering för Windows XP (KB979482)
Säkerhetsuppdatering för Windows XP (KB979687)
Säkerhetsuppdatering för Windows XP (KB980195)
Säkerhetsuppdatering för Windows XP (KB980218)
Säkerhetsuppdatering för Windows XP (KB980232)
Säkerhetsuppdatering för Windows XP (KB980436)
Säkerhetsuppdatering för Windows XP (KB981322)
Säkerhetsuppdatering för Windows XP (KB981852)
Säkerhetsuppdatering för Windows XP (KB981957)
Säkerhetsuppdatering för Windows XP (KB981997)
Säkerhetsuppdatering för Windows XP (KB982132)
Säkerhetsuppdatering för Windows XP (KB982214)
Säkerhetsuppdatering för Windows XP (KB982665)
Säkerhetsuppdatering för Windows XP (KB982802)
Uppdatering för Windows Internet Explorer 8 (KB976662)
Uppdatering för Windows Internet Explorer 8 (KB982664)
Uppdatering för Windows XP (KB2141007)
Uppdatering för Windows XP (KB2345886)
Uppdatering för Windows XP (KB2467659)
Uppdatering för Windows XP (KB898461)
Uppdatering för Windows XP (KB951978)
Uppdatering för Windows XP (KB955759)
Uppdatering för Windows XP (KB961503)
Uppdatering för Windows XP (KB967715)
Uppdatering för Windows XP (KB968389)
Uppdatering för Windows XP (KB971737)
Uppdatering för Windows XP (KB973687)
Uppdatering för Windows XP (KB973815)
USB2.0 Card Reader Software
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live inloggningsassistenten
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.4
VVVVVV (Window v1.0)
Xvid 1.2.2 final uninstall


Thanks in advance!
MickeyKnox
Active Member
 
Posts: 14
Joined: January 20th, 2011, 1:13 pm
Advertisement
Register to Remove

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 20th, 2011, 3:20 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 20th, 2011, 3:41 pm

Hi MickeyKnox,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your malware issue.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


I installed the free version of AVG and it found out that explorer.exe was infected

You were running without antivirus software, became infected then installed AVG and now the log shows no antivirus software installed.

If we are to continue then you need to install antivirus software (not AVG) and agree to keep it installed in future to reduce the chances of becoming infected again.


If you have AVG installed please remove it.

No anti-virus

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors.


Note: You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Please let me know if you have run Combofix and what the result was.
Last edited by deltalima on January 20th, 2011, 5:49 pm, edited 1 time in total.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby MickeyKnox » January 20th, 2011, 5:29 pm

Hi, thanks for a quick reply!
I uninstalled my torrent-client, AVG and downloaded Antivir.

I ran ComboFix (without antivirus program active) and about 2 minutes into the process I got a bluescreen - the only thing I registered from that screen was BAD_POOL_HEADER.

I also copied the fault-report:
BCCode : 19 BCP1 : 00000020
BCP2 : 84E908F0 BCP3 : 84E90D08
BCP4 : 1A8300A6 OSVer : 5_1_2600
SP : 3_0 Product : 768_1

//Mick
MickeyKnox
Active Member
 
Posts: 14
Joined: January 20th, 2011, 1:13 pm

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 20th, 2011, 5:52 pm

Hi MickeyKnox,

I uninstalled my torrent-client, AVG and downloaded Antivir.


Please run a full scan with Antivir and post the log in your next reply.

I must warn you that the virus has infected one or more of the system files on the computer and the removal process is not without risks. I will make every effort to clean the computer but must warn you that if it goes wrong then the computer could become unbootable.

Before we proceed please make sure you copy any important data to CD / DVD or another computer.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby MickeyKnox » January 20th, 2011, 7:51 pm

Hi - here is the report of the full scan.
I didn't remove anything just yet in case of deleting smth important.




Avira AntiVir Personal
Report file date: den 20 januari 2011 23:57

Scanning for 2411098 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : LILLSKIT

Version information:
BUILD.DAT : 10.0.0.609 31824 Bytes 2010-12-13 09:43:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 2010-12-13 07:39:56
AVSCAN.DLL : 10.0.3.0 46440 Bytes 2010-04-01 11:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 2010-12-13 07:40:06
LUKERES.DLL : 10.0.0.1 12648 Bytes 2010-02-10 22:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 2009-11-06 08:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 2010-12-14 22:53:32
VBASE002.VDF : 7.11.0.1 2048 Bytes 2010-12-14 22:53:32
VBASE003.VDF : 7.11.0.2 2048 Bytes 2010-12-14 22:53:32
VBASE004.VDF : 7.11.0.3 2048 Bytes 2010-12-14 22:53:32
VBASE005.VDF : 7.11.0.4 2048 Bytes 2010-12-14 22:53:32
VBASE006.VDF : 7.11.0.5 2048 Bytes 2010-12-14 22:53:32
VBASE007.VDF : 7.11.0.6 2048 Bytes 2010-12-14 22:53:32
VBASE008.VDF : 7.11.0.7 2048 Bytes 2010-12-14 22:53:32
VBASE009.VDF : 7.11.0.8 2048 Bytes 2010-12-14 22:53:33
VBASE010.VDF : 7.11.0.9 2048 Bytes 2010-12-14 22:53:33
VBASE011.VDF : 7.11.0.10 2048 Bytes 2010-12-14 22:53:33
VBASE012.VDF : 7.11.0.11 2048 Bytes 2010-12-14 22:53:33
VBASE013.VDF : 7.11.0.52 128000 Bytes 2010-12-16 22:53:34
VBASE014.VDF : 7.11.0.91 226816 Bytes 2010-12-20 22:53:35
VBASE015.VDF : 7.11.0.122 136192 Bytes 2010-12-21 22:53:35
VBASE016.VDF : 7.11.0.156 122880 Bytes 2010-12-24 22:53:36
VBASE017.VDF : 7.11.0.185 146944 Bytes 2010-12-27 22:53:37
VBASE018.VDF : 7.11.0.228 132608 Bytes 2010-12-30 22:53:37
VBASE019.VDF : 7.11.1.5 148480 Bytes 2011-01-03 22:53:38
VBASE020.VDF : 7.11.1.37 156672 Bytes 2011-01-07 22:53:39
VBASE021.VDF : 7.11.1.65 140800 Bytes 2011-01-10 22:53:40
VBASE022.VDF : 7.11.1.87 225280 Bytes 2011-01-11 22:53:41
VBASE023.VDF : 7.11.1.124 125440 Bytes 2011-01-14 22:53:41
VBASE024.VDF : 7.11.1.155 132096 Bytes 2011-01-17 22:53:42
VBASE025.VDF : 7.11.1.189 451072 Bytes 2011-01-20 22:53:44
VBASE026.VDF : 7.11.1.190 2048 Bytes 2011-01-20 22:53:44
VBASE027.VDF : 7.11.1.191 2048 Bytes 2011-01-20 22:53:44
VBASE028.VDF : 7.11.1.192 2048 Bytes 2011-01-20 22:53:44
VBASE029.VDF : 7.11.1.193 2048 Bytes 2011-01-20 22:53:45
VBASE030.VDF : 7.11.1.194 2048 Bytes 2011-01-20 22:53:45
VBASE031.VDF : 7.11.1.201 19968 Bytes 2011-01-20 22:53:45
Engineversion : 8.2.4.150
AEVDF.DLL : 8.1.2.1 106868 Bytes 2010-12-13 07:39:51
AESCRIPT.DLL : 8.1.3.52 1282426 Bytes 2011-01-20 22:53:58
AESCN.DLL : 8.1.7.2 127349 Bytes 2010-12-13 07:39:50
AESBX.DLL : 8.1.3.2 254324 Bytes 2010-12-13 07:39:50
AERDL.DLL : 8.1.9.2 635252 Bytes 2010-12-13 07:39:50
AEPACK.DLL : 8.2.4.8 512374 Bytes 2011-01-20 22:53:56
AEOFFICE.DLL : 8.1.1.15 205178 Bytes 2011-01-20 22:53:54
AEHEUR.DLL : 8.1.2.68 3178870 Bytes 2011-01-20 22:53:54
AEHELP.DLL : 8.1.16.0 246136 Bytes 2010-12-13 07:39:42
AEGEN.DLL : 8.1.5.2 397683 Bytes 2011-01-20 22:53:47
AEEMU.DLL : 8.1.3.0 393589 Bytes 2010-12-13 07:39:42
AECORE.DLL : 8.1.19.2 196983 Bytes 2011-01-20 22:53:46
AEBB.DLL : 8.1.1.0 53618 Bytes 2010-12-13 07:39:41
AVWINLL.DLL : 10.0.0.0 19304 Bytes 2010-12-13 07:39:56
AVPREF.DLL : 10.0.0.0 44904 Bytes 2010-12-13 07:39:54
AVREP.DLL : 10.0.0.8 62209 Bytes 2010-06-17 13:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 2010-12-13 07:39:54
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 2010-12-13 07:39:56
AVARKT.DLL : 10.0.22.6 231784 Bytes 2010-12-13 07:39:52
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 2010-12-13 07:39:53
SQLITE3.DLL : 3.6.19.0 355688 Bytes 2010-06-17 13:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 2010-12-13 07:39:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2010-06-17 13:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 2010-01-28 12:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 2010-12-13 07:40:20

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: den 20 januari 2011 23:57

Starting search for hidden objects.
c:\program\personal\bin\personal.exe
c:\program\personal\bin\personal.exe
[NOTE] The process is not visible.
[WARNING] The file was ignored!

The scan of running processes will be started
Scan process 'rsmsink.exe' - '28' Module(s) have been scanned
Scan process 'mirc.exe' - '73' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '59' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'wscntfy.exe' - '20' Module(s) have been scanned
Scan process 'avscan.exe' - '66' Module(s) have been scanned
Scan process 'avcenter.exe' - '62' Module(s) have been scanned
Scan process 'avgnt.exe' - '49' Module(s) have been scanned
Scan process 'sched.exe' - '46' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '60' Module(s) have been scanned
Scan process 'chrome.exe' - '55' Module(s) have been scanned
Scan process 'chrome.exe' - '37' Module(s) have been scanned
Scan process 'chrome.exe' - '37' Module(s) have been scanned
Scan process 'chrome.exe' - '63' Module(s) have been scanned
Scan process 'tosBtProc.exe' - '26' Module(s) have been scanned
Scan process 'tosOBEX.exe' - '41' Module(s) have been scanned
Scan process 'TosAVRC.exe' - '31' Module(s) have been scanned
Scan process 'TosBtHsp.exe' - '32' Module(s) have been scanned
Scan process 'TosHdpProc.exe' - '29' Module(s) have been scanned
Scan process 'TosBtHid.exe' - '18' Module(s) have been scanned
Scan process 'TosA2dp.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'TosBtMng.exe' - '50' Module(s) have been scanned
Scan process 'Personal.exe' - '35' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'Explorer.EXE' - '95' Module(s) have been scanned
Module is infected -> <C:\WINDOWS\explorer.exe>
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'TosBtSrv.exe' - '23' Module(s) have been scanned
Scan process 'TestHandler.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'FsUsbExService.Exe' - '21' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'spoolsv.exe' - '64' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '167' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '51' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '36' Module(s) have been scanned
Scan process 'winlogon.exe' - '66' Module(s) have been scanned
Module is infected -> <C:\WINDOWS\system32\winlogon.exe>
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\WINDOWS\system32\NT.DLL
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\WINDOWS\explorer.exe
[DETECTION] Is the TR/Patched.Gen Trojan

The registry was scanned ( '374' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\0\6a208e80-4cc441ed
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.HN Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.HN Java virus
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\28\1f2a9e1c-4ecb5be2
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.HW Java virus
--> g6k1.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.HW Java virus
--> y6u7.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0094.AQ exploit
--> g5z6.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.HV Java virus
--> h6l4.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.HY Java virus
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\41\5cdaf2a9-69b32189
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\53\7fa50935-5b13c3f1
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/LoadClass.A Java virus
--> vload.class
[DETECTION] Contains recognition pattern of the JAVA/LoadClass.A Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.DU Java virus
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\54\652b7ab6-46bcc534
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.abj Java virus
--> g_h__an5.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.abj Java virus
--> PNYGT7O.class
[DETECTION] Contains recognition pattern of the JAVA/Remote.B Java virus
--> T___n_UB_Nc.class
[DETECTION] Contains recognition pattern of the JAVA/Rowindal.A Java virus
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\56\21bbb478-4c7c30b8
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/Java.2009-3867 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.2009-3867 exploit
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\58\7dcf887a-35740ad2
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
C:\Documents and Settings\Magnus o Annelie\Lokala inställningar\Temp\Av-test.txt
[DETECTION] Contains code of the Eicar-Test-Signature virus
C:\Documents and Settings\Magnus o Annelie\Skrivbord\Blandat skräp\Super.Meat.Boy.v1.0u2-THETA.rar
[0] Archive type: RAR
[DETECTION] Is the TR/Dropper.Gen Trojan
--> Super Meat Boy.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Documents and Settings\Magnus o Annelie\Skrivbord\Super.Meat.Boy.v1.0u2-THETA\Super Meat Boy.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000001.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000012.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000032.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000033.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000144.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000145.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000184.exe
[DETECTION] Is the TR/Patched.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000185.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000186.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000187.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\WINDOWS\explorer.exe
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\SoftwareDistribution\Download\2b99763e06357f96f663f7b25ddb9f5f\BIT9.tmp
[0] Archive type: CAB (Microsoft)
--> _sfx_0007._p
[WARNING] The file could not be written!
C:\WINDOWS\system32\nt.dll
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\WINDOWS\system32\winlogon.exe
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\system32\dllcache\winlogon.exe
[DETECTION] Is the TR/Patched.Gen Trojan

Beginning disinfection:
C:\WINDOWS\system32\dllcache\winlogon.exe
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\winlogon.exe
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000187.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000186.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000185.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP4\A0000184.exe
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000145.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000144.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000033.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000032.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000012.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{3B3E9BB8-9C38-4941-B3CB-7726AAAD7DAE}\RP1\A0000001.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Skrivbord\Super.Meat.Boy.v1.0u2-THETA\Super Meat Boy.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Skrivbord\Blandat skräp\Super.Meat.Boy.v1.0u2-THETA.rar
[DETECTION] Is the TR/Dropper.Gen Trojan
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Lokala inställningar\Temp\Av-test.txt
[DETECTION] Contains code of the Eicar-Test-Signature virus
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\58\7dcf887a-35740ad2
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\56\21bbb478-4c7c30b8
[DETECTION] Contains recognition pattern of the EXP/Java.2009-3867 exploit
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\54\652b7ab6-46bcc534
[DETECTION] Contains recognition pattern of the JAVA/Rowindal.A Java virus
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\53\7fa50935-5b13c3f1
[DETECTION] Contains recognition pattern of the JAVA/Agent.DU Java virus
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\41\5cdaf2a9-69b32189
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\28\1f2a9e1c-4ecb5be2
[DETECTION] Contains recognition pattern of the JAVA/Agent.HY Java virus
[WARNING] The file was ignored!
C:\Documents and Settings\Magnus o Annelie\Application Data\Sun\Java\Deployment\cache\6.0\0\6a208e80-4cc441ed
[DETECTION] Contains recognition pattern of the JAVA/Agent.HN Java virus
[WARNING] The file was ignored!
C:\WINDOWS\explorer.exe
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\NT.DLL
[DETECTION] Is the TR/Hijacker.Gen Trojan
[WARNING] The file was ignored!


End of the scan: den 21 januari 2011 00:49
Used time: 49:52 Minute(s)

The scan has been done completely.

5454 Scanned directories
190035 Files were scanned
34 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
190001 Files not concerned
2252 Archives were scanned
28 Warnings
0 Notes
232013 Objects were scanned with rootkit scan
1 Hidden objects were found
MickeyKnox
Active Member
 
Posts: 14
Joined: January 20th, 2011, 1:13 pm

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 21st, 2011, 5:05 am

Hi MickeyKnox,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\winlogon.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Download SystemLook and save it to your Desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    winlogon.exe
    explorer.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby MickeyKnox » January 21st, 2011, 7:17 am

Hi there - here comes my findings from VirusTotal and SystemLook!
I didn't know if you wanted the additional information too - so I included that just to be safe. :)

Antivirus Version Last Update Result
AhnLab-V3 2011.01.18.00 2011.01.17 -
AntiVir 7.11.1.205 2011.01.21 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2011.01.18 Trojan/Win32.Patched.gen
Avast 4.8.1351.0 2011.01.20 Win32:WinPatch
Avast5 5.0.677.0 2011.01.20 Win32:WinPatch
AVG 10.0.0.1190 2011.01.21 -
BitDefender 7.2 2011.01.21 -
CAT-QuickHeal 11.00 2011.01.21 -
ClamAV 0.96.4.0 2011.01.21 -
Commtouch 5.2.11.5 2011.01.21 -
Comodo 7461 2011.01.21 -
DrWeb 5.0.2.03300 2011.01.21 Win32.Dat.15
Emsisoft 5.1.0.1 2011.01.21 -
eSafe 7.0.17.0 2011.01.20 -
eTrust-Vet 36.1.8114 2011.01.21 -
F-Prot 4.6.2.117 2011.01.20 -
F-Secure 9.0.16160.0 2011.01.21 -
Fortinet 4.2.254.0 2011.01.21 W32/Patched.Y!tr
GData 21 2011.01.21 Win32:WinPatch
Ikarus T3.1.1.97.0 2011.01.21 -
Jiangmin 13.0.900 2011.01.21 -
K7AntiVirus 9.77.3603 2011.01.20 Virus
Kaspersky 7.0.0.125 2011.01.21 Trojan.Win32.Patched.lk
McAfee 5.400.0.1158 2011.01.21 -
McAfee-GW-Edition 2010.1C 2011.01.21 -
Microsoft 1.6502 2011.01.21 -
NOD32 5805 2011.01.21 Win32/Patched.GN
Norman 6.06.12 2011.01.20 -
nProtect 2011-01-18.01 2011.01.18 -
Panda 10.0.2.7 2011.01.20 -
PCTools 7.0.3.5 2011.01.21 Trojan.Bamital
Prevx 3.0 2011.01.21 -
Rising 23.41.04.03 2011.01.21 -
Sophos 4.61.0 2011.01.21 Troj/Patched-Y
SUPERAntiSpyware 4.40.0.1006 2011.01.21 -
Symantec 20101.3.0.103 2011.01.21 Trojan.Bamital.B!inf
TheHacker 6.7.0.1.116 2011.01.18 -
TrendMicro 9.120.0.1004 2011.01.21 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.21 -
VBA32 3.12.14.3 2011.01.20 -
VIPRE 8139 2011.01.21 -
ViRobot 2011.1.21.4267 2011.01.21 -
VirusBuster 13.6.156.0 2011.01.20 -


Additional informationShow all
MD5 : e159154cca9c89280f3c9f7859c6df03
SHA1 : cc901a95f75a3308219e51eb744d9053a3bac437
SHA256: a7fc091ba10e476b1a3f4ee55048467e1e6ad6b701548575ea4ccb112f569abc
ssdeep: 6144:UhNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYML:Ldz+lcDKao6nS
KHsRqOMgxZgr
File size : 507904 bytes
First seen: 2011-01-21 11:03:53
Last seen : 2011-01-21 11:03:53
TrID:
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. Med ensamratt.
product......: Operativsystemet Microsoft_ Windows_
description..: Inloggningsprogram for Windows NT
original name: WINLOGON.EXE
internal name: winlogon
file version.: 5.1.2600.5512 (xpsp.080413-2113)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xB4F4
timedatestamp....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x70991, 0x70A00, 6.82, d7bb7a4e3dedb1d3a6123c7ca8c43c52
.data, 0x72000, 0x4E70, 0x2000, 6.29, 9c318293d9770d545307f8b15d1a8c7f
.rsrc, 0x77000, 0x9054, 0x9200, 3.77, 6e4c28dea6fd9166fb603e1fda7e3904

[[ 20 import(s) ]]
ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
GDI32.dll: RemoveFontResourceW, AddFontResourceW
KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
NDdeApi.dll: -, -, -, -
ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
WS2_32.dll: -, -, getaddrinfo
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 461312
CompanyName: Microsoft Corporation
EntryPoint: 0xb4f4
FileDescription: Inloggningsprogram f r Windows NT
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 496 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 21315.20512
InitializedDataSize: 45568
InternalName: winlogon
LanguageCode: Swedish
LegalCopyright: Microsoft Corporation. Med ensamr tt.
LinkerVersion: 187.7
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: WINLOGON.EXE
PEType: PE32
ProductName: Operativsystemet Microsoft Windows
ProductVersion: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:04:13 23:04:09+02:00
UninitializedDataSize: 0

---------------------------------------------------------------

SystemLook 04.09.10 by jpshortstuff
Log created at 12:05 on 21/01/2011 by Magnus o Annelie
Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [11:10 16/09/2010] [12:00 15/04/2008] E159154CCA9C89280F3C9F7859C6DF03
C:\WINDOWS\system32\dllcache\winlogon.exe --a---- 507904 bytes [11:10 16/09/2010] [12:00 15/04/2008] E159154CCA9C89280F3C9F7859C6DF03

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1034240 bytes [11:02 16/09/2010] [12:00 15/04/2008] 2C78D8648BF72A67A5398457589B6E08

-= EOF =-
MickeyKnox
Active Member
 
Posts: 14
Joined: January 20th, 2011, 1:13 pm

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 21st, 2011, 7:53 am

Hi MickeyKnox,

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :file
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\explorer.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby MickeyKnox » January 21st, 2011, 8:18 am

Hi - weird I didn't get this result earlier - probably personal malfunction ;)

SystemLook 04.09.10 by jpshortstuff
Log created at 13:17 on 21/01/2011 by Magnus o Annelie
Administrator - Elevation successful

========== file ==========

C:\WINDOWS\system32\winlogon.exe - File found and opened.
MD5: E159154CCA9C89280F3C9F7859C6DF03
Created at 11:10 on 16/09/2010
Modified at 12:00 on 15/04/2008
Size: 507904 bytes
Attributes: --a----
FileDescription: Inloggningsprogram för Windows NT
FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
ProductVersion: 5.1.2600.5512
OriginalFilename: WINLOGON.EXE
InternalName: winlogon
ProductName: Operativsystemet Microsoft® Windows®
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. Med ensamrätt.

C:\WINDOWS\explorer.exe - File found and opened.
MD5: 2C78D8648BF72A67A5398457589B6E08
Created at 11:02 on 16/09/2010
Modified at 12:00 on 15/04/2008
Size: 1034240 bytes
Attributes: --a----
FileDescription: Utforskaren
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
ProductVersion: 6.00.2900.5512
OriginalFilename: EXPLORER.EXE
InternalName: explorer
ProductName: Operativsystemet Microsoft® Windows®
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. Med ensamrätt.

-= EOF =-
MickeyKnox
Active Member
 
Posts: 14
Joined: January 20th, 2011, 1:13 pm

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 21st, 2011, 8:58 am

Hi MickeyKnox,

Please go here and click download to download the Windows XP Service Pack 3 Network Installation Package and save the file.

If any of these instructions are unclear please ask before continuing.

  • Use Windows Explorer to create a folder called sp3 in the root of drive C:
  • Move the service pack install file into that folder
  • Open a command prompt widow (start - run - cmd)
  • At the command prompt
  • Type C: and press enter
  • Type cd \sp3 and press enter
  • Type WindowsXP-KB936929-SP3-x86-ENU.exe -x: c:\sp3 and press enter
  • This should now extract the service pack files into that folder, if it tries to do anything else cancel and let me know.
  • Type cd i386 and press enter
  • Type expand winlogon.ex_ winlogon.exe and press enter
  • Type expand explorer.ex_ explorer.exe and press enter
  • Type exit and press enter to close the command console
  • Create a folder called MRU in the root of drive C:
  • Now use Windows Explorer navigate to the folder c:\sp3\i386 and locate the file winlogon.exe Right click and select copy
  • Paste the file into the folder C:\MRU
  • Now use Windows Explorer navigate to the folder c:\sp3\i386 and locate the file explorer.exe Right click and select copy
  • Paste the file into the folder C:\MRU

Now navigate to the folder C:\MRU

There should be two files, please right click on each and click on properties then version and let me know the File version for each of the file names.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby MickeyKnox » January 21st, 2011, 9:28 am

Hi once again - thanks for great instructions.
Theese are the versions of the new files.

Eplorer.exe - 6.0.2900.5512
Winlogon.exe - 5.1.2600.5512
MickeyKnox
Active Member
 
Posts: 14
Joined: January 20th, 2011, 1:13 pm

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 21st, 2011, 9:37 am

Hi MickeyKnox,

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
Code: Select all
CopyFile:
C:\MRU\explorer.exe C:\Windows\explorer.exe
C:\MRU\winlogon.exe  C:\WINDOWS\system32\winlogon.exe

  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby MickeyKnox » January 21st, 2011, 10:09 am

Hi - everything worked out fine.
Here's the report:


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\mru\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\mru\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"
MickeyKnox
Active Member
 
Posts: 14
Joined: January 20th, 2011, 1:13 pm

Re: Win32/Patched.gb - Random redirecting in all browsers

Unread postby deltalima » January 21st, 2011, 10:10 am

Great - now run another scan with Antivir, don't remove anything and post the log.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware