Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware in csrss.exe


  • Please log in to reply
11 replies to this topic

#1 BartT

BartT

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 03 July 2011 - 06:34 PM

I'm probably infected with some malare. Despite the fact that MSE reported that it
detected some Trojan's and removed them, they are still very much alive:

Backdoor:Win32/Cycbot.B
TrojanDownloader:Win32/Ponmocup.A
TrojanDownloader:Win32/Harning.S

The result is that when I do Google searches, they go to some random advertisements.

What I see is that under C:\Users\<user>\AppData\Local\Temp some files keep coming back:
csrss.exe and after a few minutes 4 instances of etilqs_abc where abc is some random string.
I've manually removed them from the recovery console, but when I reboot window normally,
they reappear...

Can anybody help me?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:19 AM

Posted 03 July 2011 - 06:38 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===========================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

===========================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#3 BartT

BartT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 03 July 2011 - 08:51 PM

Thanks for your fast response.

Here are the logs:

MiniToolBox:

MiniToolBox by Farbar
Ran by Bart (administrator) on 04-07-2011 at 02:11:51
Windows 7 Professional Service Pack 1 (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:53212

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost


=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Studio16
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Bluetooth Network Connection 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network) #6
Physical Address. . . . . . . . . : 00-15-83-36-3A-C8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-CF-B4-95-4F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : 70-1A-04-D9-01-3A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
Physical Address. . . . . . . . . : 70-1A-04-D9-01-3A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d49a:7bb4:68c8:c0b5%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : maandag 4 juli 2011 1:12:37
Lease Expires . . . . . . . . . . : donderdag 10 augustus 2147 8:40:07
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 225450500
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-F1-49-BD-00-26-B9-1E-F2-90
DNS Servers . . . . . . . . . . . : 195.130.130.4
195.130.131.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
Physical Address. . . . . . . . . : 00-26-B9-1E-F2-90
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 25:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{CFB4954F-A007-4D1E-B479-536D4F82B814}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 16:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:1c3a:2117:ab3a:891c(Preferred)
Link-local IPv6 Address . . . . . : fe80::1c3a:2117:ab3a:891c%35(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{88A28B91-D42D-4BF2-8434-9DE9F77E3DFD}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: hobo.dnscache01.telenet-ops.be
Address: 195.130.130.4

Name: google.com
Addresses: 66.102.13.106
66.102.13.147
66.102.13.99
66.102.13.103
66.102.13.104
66.102.13.105


Pinging google.com [66.102.13.103] with 32 bytes of data:
Reply from 66.102.13.103: bytes=32 time=20ms TTL=51
Reply from 66.102.13.103: bytes=32 time=18ms TTL=51

Ping statistics for 66.102.13.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 20ms, Average = 19ms
Server: hobo.dnscache01.telenet-ops.be
Address: 195.130.130.4

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56


Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=169ms TTL=47
Reply from 98.137.149.56: bytes=32 time=213ms TTL=47

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 169ms, Maximum = 213ms, Average = 191ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
39...00 15 83 36 3a c8 ......Bluetooth Device (Personal Area Network) #6
16...00 ff cf b4 95 4f ......TAP-Win32 Adapter V9
12...70 1a 04 d9 01 3a ......Microsoft Virtual WiFi Miniport Adapter
11...70 1a 04 d9 01 3a ......Dell Wireless 1397 WLAN Mini-Card
10...00 26 b9 1e f2 90 ......Broadcom NetLink ™ Gigabit Ethernet
1...........................Software Loopback Interface 1
37...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
40...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
35...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
41...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.103 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.103 286
192.168.1.103 255.255.255.255 On-link 192.168.1.103 286
192.168.1.255 255.255.255.255 On-link 192.168.1.103 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.103 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.103 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
35 58 ::/0 On-link
1 306 ::1/128 On-link
35 58 2001::/32 On-link
35 306 2001:0:5ef5:79fb:1c3a:2117:ab3a:891c/128
On-link
11 286 fe80::/64 On-link
35 306 fe80::/64 On-link
35 306 fe80::1c3a:2117:ab3a:891c/128
On-link
11 286 fe80::d49a:7bb4:68c8:c0b5/128
On-link
1 306 ff00::/8 On-link
35 306 ff00::/8 On-link
11 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/04/2011 01:43:07 AM) (Source: Application Error) (User: )
Description: Faulting application name: WinPatrolEx.exe, version: 20.0.2011.2, time stamp: 0x4d813a79
Faulting module name: WinPatrolEx.exe, version: 20.0.2011.2, time stamp: 0x4d813a79
Exception code: 0xc0000409
Fault offset: 0x0000e3dd
Faulting process id: 0x1bf4
Faulting application start time: 0xWinPatrolEx.exe0
Faulting application path: WinPatrolEx.exe1
Faulting module path: WinPatrolEx.exe2
Report Id: WinPatrolEx.exe3

Error: (07/04/2011 01:14:34 AM) (Source: Application Error) (User: )
Description: Faulting application name: WinPatrol.exe, version: 20.0.2011.2, time stamp: 0x4d813a78
Faulting module name: WinPatrol.exe, version: 20.0.2011.2, time stamp: 0x4d813a78
Exception code: 0xc0000409
Fault offset: 0x0001362b
Faulting process id: 0x1244
Faulting application start time: 0xWinPatrol.exe0
Faulting application path: WinPatrol.exe1
Faulting module path: WinPatrol.exe2
Report Id: WinPatrol.exe3

Error: (07/04/2011 01:12:52 AM) (Source: TFSShellExt) (User: )
Description: Team Foundation services are not available from server uify.dnsalias.net\DefaultCollection.
Technical information (for administrator):
Unable to connect to the remote server

Error: (07/04/2011 01:01:24 AM) (Source: TFSShellExt) (User: )
Description: Team Foundation services are not available from server uify.dnsalias.net\DefaultCollection.
Technical information (for administrator):
Unable to connect to the remote server

Error: (07/04/2011 00:55:54 AM) (Source: Application Error) (User: )
Description: Faulting application name: WinPatrol.exe, version: 20.0.2011.2, time stamp: 0x4d813a78
Faulting module name: WinPatrol.exe, version: 20.0.2011.2, time stamp: 0x4d813a78
Exception code: 0xc0000409
Fault offset: 0x0001362b
Faulting process id: 0x1020
Faulting application start time: 0xWinPatrol.exe0
Faulting application path: WinPatrol.exe1
Faulting module path: WinPatrol.exe2
Report Id: WinPatrol.exe3

Error: (07/04/2011 00:55:39 AM) (Source: Application Error) (User: )
Description: Faulting application name: WinPatrolEx.exe, version: 20.0.2011.2, time stamp: 0x4d813a79
Faulting module name: WinPatrolEx.exe, version: 20.0.2011.2, time stamp: 0x4d813a79
Exception code: 0xc0000409
Fault offset: 0x0000e3dd
Faulting process id: 0x1acc
Faulting application start time: 0xWinPatrolEx.exe0
Faulting application path: WinPatrolEx.exe1
Faulting module path: WinPatrolEx.exe2
Report Id: WinPatrolEx.exe3

Error: (07/04/2011 00:52:35 AM) (Source: Application Error) (User: )
Description: Faulting application name: WinPatrolEx.exe, version: 20.0.2011.2, time stamp: 0x4d813a79
Faulting module name: WinPatrolEx.exe, version: 20.0.2011.2, time stamp: 0x4d813a79
Exception code: 0xc0000409
Fault offset: 0x0000e3dd
Faulting process id: 0x1af8
Faulting application start time: 0xWinPatrolEx.exe0
Faulting application path: WinPatrolEx.exe1
Faulting module path: WinPatrolEx.exe2
Report Id: WinPatrolEx.exe3

Error: (07/04/2011 00:47:14 AM) (Source: TFSShellExt) (User: )
Description: TF30063: You are not authorized to access uify.dnsalias.net\DefaultCollection.

Error: (07/03/2011 11:48:49 PM) (Source: Application Error) (User: )
Description: Faulting application name: stbvvsm.exe, version: 0.0.0.0, time stamp: 0x4dcf02a5
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x8130
Faulting application start time: 0xstbvvsm.exe0
Faulting application path: stbvvsm.exe1
Faulting module path: stbvvsm.exe2
Report Id: stbvvsm.exe3

Error: (07/03/2011 11:12:09 PM) (Source: Windows Backup) (User: )
Description: The backup was not successful. The error is: The system cannot find the path specified. (0x80070003).


System errors:
=============
Error: (07/04/2011 01:06:11 AM) (Source: Service Control Manager) (User: )
Description: The Server service terminated with the following error:
%%13

Error: (07/04/2011 01:06:10 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1115

Error: (07/04/2011 01:06:09 AM) (Source: Service Control Manager) (User: )
Description: The IPsec Policy Agent service failed to start due to the following error:
%%1069

Error: (07/04/2011 01:06:09 AM) (Source: Service Control Manager) (User: )
Description: The PolicyAgent service was unable to log on as NT Authority\NetworkService with the currently configured password due to the following error:
%%1352

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (07/04/2011 01:06:09 AM) (Source: Service Control Manager) (User: )
Description: The IPsec Policy Agent service failed to start due to the following error:
%%1069

Error: (07/04/2011 01:06:09 AM) (Source: Service Control Manager) (User: )
Description: The PolicyAgent service was unable to log on as NT Authority\NetworkService with the currently configured password due to the following error:
%%1352

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (07/04/2011 01:06:09 AM) (Source: Service Control Manager) (User: )
Description: The IPsec Policy Agent service failed to start due to the following error:
%%1069

Error: (07/04/2011 01:06:09 AM) (Source: Service Control Manager) (User: )
Description: The PolicyAgent service was unable to log on as NT Authority\NetworkService with the currently configured password due to the following error:
%%1352

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (07/03/2011 11:12:31 PM) (Source: VDS Basic Provider) (User: )
Description: Unexpected failure. Error code: 490@01010004

Error: (07/02/2011 09:16:48 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.


Microsoft Office Sessions:
=========================
Error: (07/04/2011 01:43:07 AM) (Source: Application Error)(User: )
Description: WinPatrolEx.exe20.0.2011.24d813a79WinPatrolEx.exe20.0.2011.24d813a79c00004090000e3dd1bf401cc39dacab258ebC:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exeC:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exe3335c3c9-a5ce-11e0-bf89-001583363ac8

Error: (07/04/2011 01:14:34 AM) (Source: Application Error)(User: )
Description: WinPatrol.exe20.0.2011.24d813a78WinPatrol.exe20.0.2011.24d813a78c00004090001362b124401cc39d6b93ce818C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exeC:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe367b57e7-a5ca-11e0-bf89-001583363ac8

Error: (07/04/2011 01:12:52 AM) (Source: TFSShellExt)(User: )
Description: Team Foundation services are not available from server uify.dnsalias.net\DefaultCollection.
Technical information (for administrator):
Unable to connect to the remote server

Error: (07/04/2011 01:01:24 AM) (Source: TFSShellExt)(User: )
Description: Team Foundation services are not available from server uify.dnsalias.net\DefaultCollection.
Technical information (for administrator):
Unable to connect to the remote server

Error: (07/04/2011 00:55:54 AM) (Source: Application Error)(User: )
Description: WinPatrol.exe20.0.2011.24d813a78WinPatrol.exe20.0.2011.24d813a78c00004090001362b102001cc39d30d306050C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exeC:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe9af14b93-a5c7-11e0-bdb9-001583363ac8

Error: (07/04/2011 00:55:39 AM) (Source: Application Error)(User: )
Description: WinPatrolEx.exe20.0.2011.24d813a79WinPatrolEx.exe20.0.2011.24d813a79c00004090000e3dd1acc01cc39d401e57609C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exeC:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exe92208b38-a5c7-11e0-bdb9-001583363ac8

Error: (07/04/2011 00:52:35 AM) (Source: Application Error)(User: )
Description: WinPatrolEx.exe20.0.2011.24d813a79WinPatrolEx.exe20.0.2011.24d813a79c00004090000e3dd1af801cc39d35b926414C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exeC:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exe241d4fd7-a5c7-11e0-bdb9-001583363ac8

Error: (07/04/2011 00:47:14 AM) (Source: TFSShellExt)(User: )
Description: TF30063: You are not authorized to access uify.dnsalias.net\DefaultCollection.

Error: (07/03/2011 11:48:49 PM) (Source: Application Error)(User: )
Description: stbvvsm.exe0.0.0.04dcf02a5unknown0.0.0.000000000c000000500000000813001cc39cafc5d7658C:\Users\Bart\AppData\Local\Temp\stbvvsm.exeunknown3b69a607-a5be-11e0-8124-001583363ac8

Error: (07/03/2011 11:12:09 PM) (Source: Windows Backup)(User: )
Description: The system cannot find the path specified. (0x80070003)


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 37%
Total physical RAM: 6132.51 MB
Available physical RAM: 3806.89 MB
Total Pagefile: 12263.21 MB
Available Pagefile: 9417.32 MB
Total Virtual: 4095.88 MB
Available Virtual: 3969.93 MB

======================= Partitions: =======================================

3 Drive c: () (Fixed) (Total:465.66 GB) (Free:43.71 GB) NTFS

================= Users: ==================================================

User accounts for \\STUDIO16

-------------------------------------------------------------------------------
Administrator Bart Guest
Kitty Lander Lori
The command completed successfully.

================= End of Users ============================================

MalwareBytes

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7014

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

4/07/2011 2:22:22
mbam-log-2011-07-04 (02-22-22).txt

Scan type: Quick scan
Objects scanned: 235366
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\Users\Bart\AppData\Roaming\dwm.exe (Trojan.Backdoor.Gen) -> 4448 -> Unloaded process successfully.
c:\Users\Bart\AppData\Local\Temp\csrss.exe (Trojan.Backdoor.Gen) -> 5592 -> Unloaded process successfully.
c:\Users\Bart\AppData\Roaming\microsoft\conhost.exe (Trojan.Backdoor.Gen) -> 5808 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\DVYHI42JUG (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\R4B1ZAOPF5 (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Backdoor.Gen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Backdoor.Gen) -> Bad: (C:\Users\Bart\AppData\Local\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Bart\AppData\Roaming\dwm.exe (Trojan.Backdoor.Gen) -> Quarantined and deleted successfully.
c:\Users\Bart\AppData\Local\Temp\csrss.exe (Trojan.Backdoor.Gen) -> Quarantined and deleted successfully.
c:\Users\Bart\AppData\Roaming\microsoft\conhost.exe (Trojan.Backdoor.Gen) -> Quarantined and deleted successfully.
c:\Windows\Lgefea.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.


GMER

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-04 03:46:05
Windows 6.1.7601 Service Pack 1
Running: gdq8b2kl.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001583363ac8
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001583363ac8@000761c01040 0x06 0x76 0xAB 0x17 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001583363ac8@000761c01472 0xED 0xA4 0xA3 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001583363ac8@000761c03301 0xB1 0xF0 0xB0 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\701a049c669b
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\701a049c669b@000761c01040 0x5E 0xBB 0xE8 0x08 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\701a049c669b@000761c03301 0x81 0xFA 0x6C 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\701a049c669b@000761c01472 0x83 0x08 0xD3 0x52 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001583363ac8 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001583363ac8@000761c01040 0x06 0x76 0xAB 0x17 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001583363ac8@000761c01472 0xED 0xA4 0xA3 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001583363ac8@000761c03301 0xB1 0xF0 0xB0 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\701a049c669b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\701a049c669b@000761c01040 0x5E 0xBB 0xE8 0x08 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\701a049c669b@000761c03301 0x81 0xFA 0x6C 0x3A ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\701a049c669b@000761c01472 0x83 0x08 0xD3 0x52 ...

---- Files - GMER 1.0.15 ----

File C:\Users\Bart\AppData\Roaming\Microsoft\Windows\Recent\2009.lnk 0 bytes
File C:\Users\Bart\AppData\Roaming\Microsoft\Windows\Recent\NCC_PANEL_B.jpg.lnk 0 bytes

---- EOF - GMER 1.0.15 ----



SecurityCheck.exe crashes on my system (not a valid Win32 application) (something to do with Windows 7 64 bit ?).

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:19 AM

Posted 03 July 2011 - 09:27 PM

Right click on SecurityCheck.exe, click "Run As Administrator".

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#5 BartT

BartT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 05 July 2011 - 02:01 AM

The SecurityCheck.exe doesn't run on my system, running it as Administrator
doesn't help.

On first sight the malware seems to be gone - but can you ever be sure?

Thanks for your help.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:19 AM

Posted 05 July 2011 - 01:51 PM

Please, re-run MiniToolbox.

Checkmark following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
Click Go and post the result.

Then...

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

===============================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#7 BartT

BartT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 06 July 2011 - 10:55 AM

Here's the miniToolbox dump - looking good :-)


MiniToolBox by Farbar
Ran by Bart (administrator) on 06-07-2011 at 08:54:57
Windows 7 Professional Service Pack 1 (X64)

***************************************************************************


================= Flush DNS: ==============================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

================= End of Flush DNS ========================================

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:53212

========================= End of IE Proxy Settings ========================

"Reset IE Proxy Settings": Proxy Settings were reset.



Here's the ESET dump:

C:\ProgramData\Win7codecs\{5D33C65D-EC8B-4505-B909-34F9BEACD44E}\Win7codecs.msi Win32/Packed.Autoit.C.Gen application deleted - quarantined



Thanks again!

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:19 AM

Posted 06 July 2011 - 07:16 PM

Re-run MiniToolbox.

Checkmark following boxes:
  • Report IE Proxy Settings
Click Go and post the result.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#9 BartT

BartT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 07 July 2011 - 01:44 AM

MiniToolBox by Farbar
Ran by Bart (administrator) on 07-07-2011 at 08:43:51
Windows 7 Professional Service Pack 1 (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:19 AM

Posted 07 July 2011 - 07:22 PM

Proxies setting look good now.

How is redirection?

Please, continue with two other steps from my reply #6 (TFC, ESET)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#11 BartT

BartT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 09 July 2011 - 08:11 AM

ESET didn't find anything.
Redirection is gone, so everything works fine again.

Thanks a lot!

Just a last question:
Until now I used MSE as protection, but clearly this doesn't seem enough.
Is there any antivirus/malware program you can suggest that does a better job?

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:19 AM

Posted 09 July 2011 - 11:25 AM

MSE is a fine program.
There is no perfect security program.
It's always about your computer habits.

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users