Hi
Download and save to RenV.exe from following link to Desktop:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
Doubleclick RenV.exe.
When finished, it shall produce a new log for you. Post that log in your next reply.
Hi
Download and save to RenV.exe from following link to Desktop:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
Doubleclick RenV.exe.
When finished, it shall produce a new log for you. Post that log in your next reply.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
I can safely assume that is is ok to go online then right?
Hi
Of course it's recommenable to stay offline as much as possible but yes you will need to download that tool and you can do that from infected computer, yes.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
here it is!
Code:Ran on Fri 12/28/2007 - 14:27:16.96 ----a-w 61,440 2007-12-28 19:25:07 C:\hp\KBD\KBD .EXE ----a-w 151,597 2007-12-28 18:29:39 C:\Program Files\Common Files\Real\Update_OB\realsched .exe ----a-w 110,592 2007-12-28 19:25:05 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe ----a-w 49,152 2007-12-28 18:29:50 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe ----a-w 241,664 2007-12-28 18:29:50 C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ----a-w 49,152 2007-12-28 18:29:49 C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe ----a-w 36,975 2007-12-28 18:29:42 C:\Program Files\Java\jre1.5.0_02\bin\jusched .exe ----a-w 1,694,208 2007-12-28 18:29:56 C:\Program Files\Messenger\msmsgs .exe ----a-w 450,048 2007-12-23 15:48:35 C:\Program Files\QuickTime\qttask .exe ----a-w 450,048 2007-12-23 15:30:17 C:\Program Files\QuickTime\qttask .exe ----a-w 450,048 2007-12-23 14:39:57 C:\Program Files\QuickTime\qttask .exe ----a-w 94,208 2007-12-28 19:25:06 C:\WINDOWS\KHALMNPR .EXE ----a-w 19,968 2007-12-28 19:25:05 C:\WINDOWS\Logi_MwX .Exe ----a-w 50,176 2007-12-28 18:29:51 C:\WINDOWS\eHome\ehtray .exe ----a-w 158,208 2007-12-25 22:06:47 C:\WINDOWS\pchealth\helpctr\Binaries\MSConfig .exe ----a-w 158,208 2007-12-28 19:25:09 C:\WINDOWS\pchealth\helpctr\Binaries\MSConfig .exe ----a-w 502,272 2007-12-25 22:00:54 C:\WINDOWS\pchealth\helpctr\Binaries\MSConfig .exe ----a-w 233,472 2007-12-23 15:30:18 C:\WINDOWS\SMINST\RECGUARD .EXE ----a-w 52,736 2007-12-23 23:17:55 C:\WINDOWS\system\hpsysdrv .exe ----a-w 155,648 2007-12-28 18:29:46 C:\WINDOWS\system32\NeroCheck .exe ----a-w 81,920 2007-12-28 19:25:05 C:\WINDOWS\system32\ps2 .exe Entries: 21 (21) Directories: 0 Files: 21 Bytes: 5,251,740 Blocks: 10,259
Hi
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\Program Files\QuickTime\qttask .exe (there is space between k and .)
Repeat step for C:\Program Files\QuickTime\qttask.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
Hi
here they are....but just to mention that while browsing the folder there is also two additional files there the next with two spaces before the period and then three spaces before the period......the second scan told me the file had already been analyzed......the first is the one with the space and teh second report is the one without the space
VirusTotal - Free Online Virus and Malware Scan - Result | Slovenščina | Dansk |
Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska |
Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates
the quick detection of viruses, worms, trojans, and all kinds of malware
detected by antivirus engines. More information...
File qttask_.exe received on 12.29.2007 15:16:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 19/32 (59.38%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 50 and 72 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are
going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned
(position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form
below and click "request" so the system sends you a notification when the scan
is finished.
Email:
AntivirusVersionLast UpdateResult
AhnLab-V32007.12.29.112007.12.29-
AntiVir7.6.0.462007.12.28HEUR/Malware
Authentium4.93.82007.12.29W32/Virtumonde.OQ
Avast4.7.1098.02007.12.28-
AVG7.5.0.5162007.12.28Dropper.Generic.THT
BitDefender7.22007.12.29Trojan.Dropper.Vundo.E
CAT-QuickHeal9.002007.12.29Win32.AdWare.Virtumonde.cli
ClamAV0.91.22007.12.29W32.Prep-1
DrWeb4.44.0.091702007.12.29Trojan.MulDrop.9328
eSafe7.0.15.02007.12.27-
eTrust-Vet31.3.54122007.12.29Win32/Trats.A
Ewido4.02007.12.29-
FileAdvisor12007.12.29-
Fortinet3.14.0.02007.12.29-
F-Prot4.4.2.542007.12.28W32/Virtumonde.OQ
F-Secure6.70.13030.02007.12.28-
IkarusT3.1.1.152007.12.29not-a-virus:AdWare.Win32.Virtumonde.cli
Kaspersky7.0.0.1252007.12.29not-a-virus:AdWare.Win32.Virtumonde.cli
McAfee51952007.12.28-
Microsoft1.31092007.12.29Virus:Win32/Trats.D
NOD32v227552007.12.29Win32/Adware.Virtumonde.CLI
Norman5.80.022007.12.28-
Panda9.0.0.42007.12.29-
Prevx1V22007.12.29-
Rising20.24.52.002007.12.29Worm.Win32.Vadar.h
Sophos4.24.02007.12.29W32/VirtInf-A
Sunbelt2.2.907.02007.12.28-
Symantec102007.12.29W32.Trats!inf
TheHacker6.2.9.1742007.12.28-
VBA323.12.2.52007.12.29Trojan.Virtumod.253
VirusBuster4.3.26:92007.12.28Win32.Trats.B
Webwasher-Gateway6.6.22007.12.28Heuristic.Malware
Additional information
File size: 450048 bytes
MD5: 91e7e399be835c487c1ff4811174d021
SHA1: a1029daeded8754c33922bf7701513112d8545ad
PEiD: -
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are
no guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee the
harmlessness of a file. Currently, there is not any solution that offers a 100%
effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com
here is the one without the space:
VirusTotal - Free Online Virus and Malware Scan - Reanalyse | Slovenščina |
Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska |
Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates
the quick detection of viruses, worms, trojans, and all kinds of malware
detected by antivirus engines. More information...
File has already been analysed:
MD5:91e7e399be835c487c1ff4811174d021
Date:12.29.2007 15:21:25 (CET) [<1D]
Results:19/32
Permalink:resultado.html?939fdff62a81f07e8c13e6fd928c8a9b
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com
Hi
So did the one without space came back clean?
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
reanalyzing now! back to you in a minute....
eddie
still analyzing but results look the same so far
Hi
Ok, so they are both infected.
After reanalyzing, please re-run RenV.exe and post contents of that here along with a fresh HijackThis log and jotti/virustotal results
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006