BleepingComputer.com: Possible infection due to update

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

Possible infection due to update

#1 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 16 October 2011 - 04:09 PM

Hello,

The whole story is as follows. I downloaded an update for a program of mine, YouTube Downloader. This program has never been malicious at all, until today. An update was available, so I downloaded and installed it. It offered me a toolbar, and I'm almost positive I declined, yet it installed anyway. The toolbar was published by Spigot, who apparently are known for being malicious. COMODO first alerted me of the problem, telling me a malicious object was detected. Then another thing popped up, asking me if I wanted to change my search provider, which I declined. Through Googling of processes and folders, all of them state that the toolbar is malware. I since uninstalled YTD and its toolbar, but I saw an item running in the task manager called "ApplicationUpdater.exe" that was supposedly removed through uninstallation. I ended it and it has not reappeared. But most Google results state that even after being uninstalled, traces are left behind, so I am requesting help as I am near positive I'm still infected.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Adrienne at 13:09:39 on 2011-10-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.325 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled*
FW: AVG Firewall *Disabled*
FW: Sunbelt Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\FileHippo.com\UpdateChecker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adrienne\Application Data\Mozilla\Firefox\Profiles\ghyi4e8x.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.live.com/
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = <local>;*.local
mSearchAssistant =
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265018178156
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265018170468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{CC44CFDA-A891-4916-8B38-734DB03F6948} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{CC44CFDA-A891-4916-8B38-734DB03F6948} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {44BBA844-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\CChat25.inf,PerUserRemove
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\adrienne\application data\mozilla\firefox\profiles\ghyi4e8x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.live.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6522
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.60818.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-6-30 242600]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-6-30 29400]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl88926253;MpKsl88926253;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6adcae45-fabd-4e24-8dd6-e1ae2a0dd757}\MpKsl88926253.sys [2011-10-16 28752]
R1 MpKsla92fc7ed;MpKsla92fc7ed;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{250e6d1a-1eb1-4c76-a19d-2268ab3edd5e}\mpksla92fc7ed.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{250e6d1a-1eb1-4c76-a19d-2268ab3edd5e}\MpKsla92fc7ed.sys [?]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-12-18 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-6-30 1793712]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-12-30 24576]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2009-3-13 14336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-4-19 2255464]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-18 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-18 399416]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-12-18 65576]
S1 MpKsl06482615;MpKsl06482615;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdd6a7ec-7b7a-4ec3-a835-29687d3d4e25}\mpksl06482615.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdd6a7ec-7b7a-4ec3-a835-29687d3d4e25}\MpKsl06482615.sys [?]
S1 MpKslb6c86c0a;MpKslb6c86c0a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d9480814-639b-4bf6-9d87-70e4861d5ea8}\mpkslb6c86c0a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d9480814-639b-4bf6-9d87-70e4861d5ea8}\MpKslb6c86c0a.sys [?]
S1 MpKslc7ef81aa;MpKslc7ef81aa;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{932faa22-a4d2-43f2-8fa3-a3dbdbb36a78}\mpkslc7ef81aa.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{932faa22-a4d2-43f2-8fa3-a3dbdbb36a78}\MpKslc7ef81aa.sys [?]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\psinknc.sys --> c:\windows\system32\drivers\psinknc.sys [?]
S1 rtuzkzhq;rtuzkzhq;c:\windows\system32\drivers\rtuzkzhq.sys [2011-10-16 41680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NanoServiceMain;Panda Cloud Antivirus Service;"c:\program files\panda security\panda cloud antivirus\psanhost.exe" --> c:\program files\panda security\panda cloud antivirus\PSANHost.exe [?]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\psinaflt.sys --> c:\windows\system32\drivers\PSINAflt.sys [?]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\psinfile.sys --> c:\windows\system32\drivers\PSINFile.sys [?]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\psinproc.sys --> c:\windows\system32\drivers\PSINProc.sys [?]
S2 PSINProt;PSINProt;c:\windows\system32\drivers\psinprot.sys --> c:\windows\system32\drivers\PSINProt.sys [?]
S2 SbPF.Launcher;SbPF.Launcher;"c:\program files\sunbelt software\personal firewall\sbpflnch.exe" --> c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2009-3-13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-3-13 14336]
S4 SPF4;Sunbelt Personal Firewall 4;"c:\program files\sunbelt software\personal firewall\sbpfsvc.exe" --> c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [?]
SUnknown Application Updater;Application Updater; [x]
.
=============== Created Last 30 ================
.
2011-10-16 19:32:50 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{7f5b0e0d-6170-4289-930a-7431d8bd9d4b}\offreg.dll
2011-10-16 16:56:47 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6adcae45-fabd-4e24-8dd6-e1ae2a0dd757}\MpKsl88926253.sys
2011-10-16 16:55:54 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6adcae45-fabd-4e24-8dd6-e1ae2a0dd757}\offreg.dll
2011-10-16 16:55:51 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6adcae45-fabd-4e24-8dd6-e1ae2a0dd757}\mpengine.dll
2011-10-16 16:34:45 41680 ----a-w- c:\windows\system32\drivers\rtuzkzhq.sys
2011-10-15 09:31:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-14 07:46:48 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{7f5b0e0d-6170-4289-930a-7431d8bd9d4b}\mpengine.dll
2011-10-12 14:52:15 -------- d-----w- c:\program files\iPod
2011-10-12 14:52:08 -------- d-----w- c:\program files\iTunes
2011-10-12 14:46:09 -------- d-----w- c:\program files\Bonjour
2011-10-08 13:09:00 -------- d-----w- c:\program files\Paint.NET
2011-10-08 13:08:18 -------- d-----w- c:\documents and settings\adrienne\local settings\application data\Paint.NET
2011-10-08 00:05:50 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-10-02 07:11:58 -------- d-----w- c:\documents and settings\adrienne\application data\LOVE
2011-10-01 02:32:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-27 06:10:23 388096 ----a-r- c:\documents and settings\adrienne\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-27 06:10:22 -------- d-----w- c:\program files\Trend Micro
2011-09-27 02:05:15 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-09-25 11:25:59 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-09-25 10:48:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-24 14:16:42 -------- d-----w- c:\documents and settings\adrienne\application data\AVG2012
2011-09-24 14:15:06 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-09-24 13:58:40 81984 ----a-w- c:\windows\system32\bdod.bin
2011-09-24 13:46:24 -------- d-----w- c:\documents and settings\all users\application data\BitDefender
2011-09-24 00:21:19 -------- d-----w- c:\program files\Microsoft Chat
2011-09-22 08:37:20 -------- d--h--w- C:\VritualRoot
2011-09-22 08:23:50 -------- d-----w- c:\documents and settings\all users\application data\Comodo
2011-09-22 08:23:30 -------- d-----w- c:\program files\COMODO
2011-09-22 08:22:23 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader
2011-09-21 12:26:08 -------- d-----w- c:\documents and settings\adrienne\application data\Panda Security
2011-09-21 12:24:11 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
2011-09-21 12:16:26 -------- d-----w- C:\temp
.
==================== Find3M ====================
.
2011-10-05 04:34:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ------w- c:\windows\system32\win32k.sys
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 06:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 06:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 06:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 06:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ------w- c:\windows\system32\drivers\afd.sys
2011-08-10 04:06:00 280276 ------w- c:\windows\system32\nvdrsdb1.bin
2011-08-10 04:06:00 1 ------w- c:\windows\system32\nvdrssel.bin
2011-08-10 04:05:56 280276 ------w- c:\windows\system32\nvdrsdb0.bin
2011-07-31 02:43:37 128000 ------w- c:\windows\system32\javacpl.cpl
2011-07-31 02:43:36 544656 ------w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 13:13:46.82 ===============

GMER was too huge to upload.

Gunto

Attached File(s)


This post has been edited by Gunto: 16 October 2011 - 04:17 PM

Posted Image
It's pronounced Goon-toe!

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 21 October 2011 - 04:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/423787 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 22 October 2011 - 01:58 AM

Still same thing. I haven't seen ApplicationUpdater.exe lately. GMER is still too big to upload.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Adrienne at 23:00:21 on 2011-10-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.309 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled*
FW: AVG Firewall *Disabled*
FW: Sunbelt Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\FileHippo.com\UpdateChecker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\system32\wuauclt.exe
svchost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.live.com/
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = <local>;*.local
mSearchAssistant =
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265018178156
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265018170468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{CC44CFDA-A891-4916-8B38-734DB03F6948} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{CC44CFDA-A891-4916-8B38-734DB03F6948} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {44BBA844-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\CChat25.inf,PerUserRemove
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\adrienne\application data\mozilla\firefox\profiles\ghyi4e8x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.live.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6522
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.60818.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-6-30 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-6-30 31704]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl2b076922;MpKsl2b076922;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15c3d299-1c23-4d48-a586-8ad91cff8144}\MpKsl2b076922.sys [2011-10-21 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-12-18 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-6-30 1883328]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-12-30 24576]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2009-3-13 14336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-4-19 2255464]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-18 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-18 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-12-18 65576]
S1 MpKsl06482615;MpKsl06482615;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdd6a7ec-7b7a-4ec3-a835-29687d3d4e25}\mpksl06482615.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdd6a7ec-7b7a-4ec3-a835-29687d3d4e25}\MpKsl06482615.sys [?]
S1 MpKslb6c86c0a;MpKslb6c86c0a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d9480814-639b-4bf6-9d87-70e4861d5ea8}\mpkslb6c86c0a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d9480814-639b-4bf6-9d87-70e4861d5ea8}\MpKslb6c86c0a.sys [?]
S1 MpKslc7ef81aa;MpKslc7ef81aa;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{932faa22-a4d2-43f2-8fa3-a3dbdbb36a78}\mpkslc7ef81aa.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{932faa22-a4d2-43f2-8fa3-a3dbdbb36a78}\MpKslc7ef81aa.sys [?]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\psinknc.sys --> c:\windows\system32\drivers\psinknc.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NanoServiceMain;Panda Cloud Antivirus Service;"c:\program files\panda security\panda cloud antivirus\psanhost.exe" --> c:\program files\panda security\panda cloud antivirus\PSANHost.exe [?]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\psinaflt.sys --> c:\windows\system32\drivers\PSINAflt.sys [?]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\psinfile.sys --> c:\windows\system32\drivers\PSINFile.sys [?]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\psinproc.sys --> c:\windows\system32\drivers\PSINProc.sys [?]
S2 PSINProt;PSINProt;c:\windows\system32\drivers\psinprot.sys --> c:\windows\system32\drivers\PSINProt.sys [?]
S2 SbPF.Launcher;SbPF.Launcher;"c:\program files\sunbelt software\personal firewall\sbpflnch.exe" --> c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2009-3-13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-3-13 14336]
S4 SPF4;Sunbelt Personal Firewall 4;"c:\program files\sunbelt software\personal firewall\sbpfsvc.exe" --> c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-10-22 06:01:41 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15c3d299-1c23-4d48-a586-8ad91cff8144}\MpKsl2b076922.sys
2011-10-22 06:01:21 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15c3d299-1c23-4d48-a586-8ad91cff8144}\offreg.dll
2011-10-22 06:01:15 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15c3d299-1c23-4d48-a586-8ad91cff8144}\mpengine.dll
2011-10-19 19:25:36 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-19 03:19:25 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{cde12c69-7e5f-4034-b4cb-a2762452a09f}\mpengine.dll
2011-10-15 09:31:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-12 14:52:15 -------- d-----w- c:\program files\iPod
2011-10-12 14:52:08 -------- d-----w- c:\program files\iTunes
2011-10-12 14:46:09 -------- d-----w- c:\program files\Bonjour
2011-10-08 13:09:00 -------- d-----w- c:\program files\Paint.NET
2011-10-08 13:08:18 -------- d-----w- c:\documents and settings\adrienne\local settings\application data\Paint.NET
2011-10-08 00:05:50 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-10-02 07:11:58 -------- d-----w- c:\documents and settings\adrienne\application data\LOVE
2011-10-01 02:32:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-27 06:10:23 388096 ----a-r- c:\documents and settings\adrienne\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-27 06:10:22 -------- d-----w- c:\program files\Trend Micro
2011-09-27 02:05:15 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-09-25 11:25:59 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-09-25 10:48:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-24 14:16:42 -------- d-----w- c:\documents and settings\adrienne\application data\AVG2012
2011-09-24 14:15:06 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-09-24 13:58:40 81984 ----a-w- c:\windows\system32\bdod.bin
2011-09-24 13:46:24 -------- d-----w- c:\documents and settings\all users\application data\BitDefender
2011-09-24 00:21:19 -------- d-----w- c:\program files\Microsoft Chat
2011-09-22 08:37:20 -------- d--h--w- C:\VritualRoot
2011-09-22 08:23:50 -------- d-----w- c:\documents and settings\all users\application data\Comodo
2011-09-22 08:23:30 -------- d-----w- c:\program files\COMODO
2011-09-22 08:22:23 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader
.
==================== Find3M ====================
.
2011-10-07 17:48:01 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-10-07 17:48:00 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-10-07 17:47:59 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-10-07 17:47:10 300200 ----a-w- c:\windows\system32\guard32.dll
2011-10-05 04:34:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ------w- c:\windows\system32\win32k.sys
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 06:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 06:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 06:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 06:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ------w- c:\windows\system32\drivers\afd.sys
2011-08-10 04:06:00 280276 ------w- c:\windows\system32\nvdrsdb1.bin
2011-08-10 04:06:00 1 ------w- c:\windows\system32\nvdrssel.bin
2011-08-10 04:05:56 280276 ------w- c:\windows\system32\nvdrsdb0.bin
2011-07-31 02:43:37 128000 ------w- c:\windows\system32\javacpl.cpl
2011-07-31 02:43:36 544656 ------w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 23:05:33.37 ===============

Attached File(s)


Posted Image
It's pronounced Goon-toe!

#4 User is online   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,521
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 22 October 2011 - 02:16 PM

Well hello hello hello. Who do we have here. :P

You want to work with me through this or rather just have your logs checked?

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#5 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 23 October 2011 - 01:35 AM

Yes, probably you least expected me of all people. :P

I'd like you to work with me through this, please. :)
Posted Image
It's pronounced Goon-toe!

#6 User is online   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,521
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 23 October 2011 - 04:46 AM

Hi,

have you researched a bit about Spigot and how to remove the toolbar? Did you find any connection between the chagned search provider and the toolbar?

Which anti virus program are you currently using? The traces of how many can you see in your log?

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#7 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 23 October 2011 - 05:31 AM

Yeah, I Googled Spigot a bit and nearly all the site results said that Spigot produces malware. I removed the toolbar using Revo Uninstaller. After I removed YTD and the toolbar, my search provider was Google again. The Spigot website also had a red WOT icon next to it.

Using Microsoft Security Essentials.

This post has been edited by Gunto: 23 October 2011 - 05:32 AM

Posted Image
It's pronounced Goon-toe!

#8 User is online   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,521
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 23 October 2011 - 06:50 AM

Hi,

yes indeed. Spigot has a very shady reputation. They are most famous for SearchSettings, a type of adware that also came bundled with many free programs. Spigot is one of many firms, that have a very bad reputation online, despite the fact that they are less annoying now than they were 5 years ago. Sure, they're still no angels now, however they do provide uninstallers for their toolbars and programs and usually give an opt-in to install the tool. (Except for "bugs" as you may have experienced)
Due to those behavioural changes, they are nowadays classified as "PUP" (potentially unwanted program) by many anti virus programs not malware, even if their reputation remains a lot worse. You can also see this easily when you compare the rating on myWOT.com (which is community based, so many people voting what they think of the site) and siteadvisor.com, which is run by McAfee and checks other criteries, like existence of malicious downloads, etc.

All of this to tell you: Spigot is not safe, but it is not what is known as malware today either. If you uninstalled the toolbar, this is likely the last you've seen of it.

Can you tell me which AVP has leftovers showing in your log? There are a lot more than "just" MSSE :wink:
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#9 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 23 October 2011 - 07:24 AM

Hello,

Ah, thank you, I don't remember reading some of that. It's just best to safe than sorry, though. :)

Ah, yes, apologies, I misread your last post. I see remnants of AVG and Panda Cloud, and some of Sunbelt as well.
Posted Image
It's pronounced Goon-toe!

#10 User is online   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,521
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 23 October 2011 - 08:51 AM

Hi,

what can you tell me about this file:

Quote

c:\windows\system32\drivers\rtuzkzhq.sys


What would you do with it?

Do you think the leftovers of those AVP should be removed or left behind?

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#11 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 23 October 2011 - 09:27 AM

I don't recognize the file... never heard of it. I think it would be best to have it removed.

I'd think the remnants should be removed.
Posted Image
It's pronounced Goon-toe!

#12 User is online   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,521
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 30 October 2011 - 07:10 PM

hi,

very sorry for the delay. Next time I miss your reply, please PM me after 48-72h. Any longer and you can be sure I must have missed or overlooked your thread.

Do you know how to check the date of the file creation? Do you remember just what you were doing at that time?

regards myrti
(PS: I do not believe that you are currently infected, if I thought you were, we would be doing less discussing and more acting on it. The program installed a toolbar, which you prevented to install.)
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#13 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 31 October 2011 - 06:24 PM

Hello,

Ok, I'll keep that in mind, thanks. :)

I can see the file creation time in the log. I cannot remember what I was doing at the time, but it's very likely I was somewhere in the YTD updating process.

Gunto
(That's good, I am posting simply because I found the ApplicationUpdater.exe remnant fishy)
Posted Image
It's pronounced Goon-toe!

#14 User is online   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,521
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 01 November 2011 - 05:16 PM

Hi,

wasn't it possibly shortly thereafter? Do you still have your gmer log? Can you see the file name somewhere in there?

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#15 User is offline   Gunto 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Junior
  • Posts: 369
  • Joined: 05-October 10
  • Gender:Female
  • Location:In front of a computer

Posted 01 November 2011 - 05:29 PM

Hi,

Yes, possibly. I still have the log, and the file name is not in there.

Gunto
Posted Image
It's pronounced Goon-toe!

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users