Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan:win32/agentbypass.gen!k - infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 A.K

A.K

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 08 January 2009 - 03:49 AM

Hi
It all started yesterday when windows defender told me that i had a "trojan:win32/agentbypass.gen!k" infection. i got it to remove it with defender and it said it did the job and i also ran a full scan with defender and my norton but nothing was found. when i started up my computer again it was back again. someone on this forum had what seemed to be exactly the same problem so i did what he was instructed to do and with Malwarebytes' Anti-Malware and a full scan with SUPERAntiSpyware Free Edition it wasn't found. then on that thread i was suggested to come here and try with you guys.

only windows defender seems to be able to spot the trojan and it only happens when i start my computer up and i login. i also noticed it always happens about 1min after i login.

The laptop is fairly new - just over one month old and it has always had a firewall up and norton and windows defender running (although norton doesn't seem to update for some reason). i dont know a lot of technical things so can you make the instructions clear please (like you had in the "Preparation Guide For Use Before Using Hijackthis and other Malware Removal Tools, Instructions for receiving help in cleaning your computer" post)

Thanks very much for your help in advance
AK

Here's DDS.txt:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Abhilash Kamineni at 21:06:31.38 on Thu 08/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.64.1033.18.3068.1795 [GMT 13:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\aestsrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Abhilash Kamineni\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.nz/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Pavilion&pf=cnnb
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Free Uploader Oe Integration] c:\program files\free download manager\fum\fumoei.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-nz\local\search.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\free download manager\fum\fumiebtn.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090102.001\IDSvix86.sys [2009-1-6 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-11 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-25 52736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-8-11 109616]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-7-8 96856]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-11-9 3658752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-14 43552]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-6-13 41008]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_a7e996cd\AEstSrv.exe [2008-11-9 77824]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R4 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-19 19456]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-7 149352]
R4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-11 361808]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-08 18:55 <DIR> --d----- C:\Temp
2009-01-08 15:42 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-08 12:39 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-08 12:39 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-08 12:39 <DIR> --d----- c:\users\abhila~1\appdata\roaming\SUPERAntiSpyware.com
2009-01-08 12:39 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-08 12:38 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-08 12:17 <DIR> --d----- c:\users\abhila~1\appdata\roaming\Malwarebytes
2009-01-08 12:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-08 12:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 12:17 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-08 12:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 12:17 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-08 12:16 428,544 a------- c:\windows\system32\EncDec.dll
2009-01-08 12:16 293,376 a------- c:\windows\system32\psisdecd.dll
2009-01-08 12:16 217,088 a------- c:\windows\system32\psisrndr.ax
2009-01-08 12:16 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-01-08 12:16 80,896 a------- c:\windows\system32\MSNP.ax
2009-01-08 12:16 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-01-08 12:16 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-01-08 12:16 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-01-08 12:16 801,280 a------- c:\windows\system32\NaturalLanguage6.dll
2009-01-08 12:09 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-01-08 12:09 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-01-08 12:09 1,695,744 a------- c:\windows\system32\gameux.dll
2009-01-07 22:47 <DIR> --d----- c:\users\abhilash kamineni\DoctorWeb
2009-01-07 19:12 <DIR> --d----- c:\program files\tcnzActivation
2009-01-07 19:11 <DIR> --d----- c:\program files\common files\Motive
2009-01-07 19:10 <DIR> --d----- c:\programdata\Motive
2008-12-19 22:31 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2008-12-19 22:30 <DIR> --d----- c:\programdata\WLInstaller
2008-12-17 21:48 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-17 21:39 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-16 23:18 <DIR> --d----- c:\programdata\GRETECH
2008-12-16 23:18 <DIR> --d----- c:\progra~2\GRETECH
2008-12-16 23:17 <DIR> --d----- c:\program files\GRETECH
2008-12-16 22:53 <DIR> --d----- c:\program files\SDP Multimedia
2008-12-16 10:20 2,048 a------- c:\windows\system32\tzres.dll
2008-12-15 13:46 2,927,104 a------- c:\windows\explorer.exe
2008-12-15 13:46 827,392 a------- c:\windows\system32\wininet.dll
2008-12-15 13:40 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-15 13:40 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-15 13:40 94,720 a------- c:\windows\system32\logagent.exe
2008-12-15 13:10 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2008-12-15 11:16 784,896 a------- c:\windows\system32\rpcrt4.dll
2008-12-15 11:16 891,448 a------- c:\windows\system32\drivers\tcpip.sys
2008-12-15 11:16 72,192 a------- c:\windows\system32\drivers\pacer.sys
2008-12-15 11:16 15,360 a------- c:\windows\system32\pacerprf.dll
2008-12-15 10:56 269,312 a------- c:\windows\system32\es.dll
2008-12-15 10:55 303,616 a------- c:\windows\system32\wmpeffects.dll
2008-12-15 10:55 2,032,640 a------- c:\windows\system32\win32k.sys
2008-12-14 18:07 1,191,936 a------- c:\windows\system32\msxml3.dll
2008-12-13 18:26 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2008-12-13 18:26 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2008-12-13 18:26 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2008-12-13 18:25 1,314,816 a------- c:\windows\system32\quartz.dll

==================== Find3M ====================

2009-01-08 20:59 87,571 a------- c:\programdata\nvModes.dat
2009-01-08 20:59 87,571 a------- c:\progra~2\nvModes.dat
2009-01-07 22:23 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-07 22:23 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-07 22:23 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-07 22:20 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-07 22:20 86,016 a------- c:\windows\inf\infstor.dat
2009-01-07 22:20 51,200 a------- c:\windows\inf\infpub.dat
2008-12-18 19:54 114,688 a------- c:\windows\system32\msvos.dll
2008-12-07 06:56 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-06 11:47 87,608 a------- c:\users\abhila~1\appdata\roaming\inst.exe
2008-12-06 11:47 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-06 11:47 47,360 a------- c:\users\abhila~1\appdata\roaming\pcouffin.sys
2008-12-04 21:56 2,231,606 a------- c:\programdata\Games.exe
2008-12-04 21:56 2,231,606 a------- c:\progra~2\Games.exe
2008-12-04 20:14 3,063,561 a------- c:\programdata\MobileTV.exe
2008-12-04 20:14 3,063,561 a------- c:\progra~2\MobileTV.exe
2008-12-04 20:14 2,989,660 a------- c:\programdata\DVD.exe
2008-12-04 20:14 2,989,660 a------- c:\progra~2\DVD.exe
2008-12-04 20:14 2,864,396 a------- c:\programdata\MPV.exe
2008-12-04 20:14 2,864,396 a------- c:\progra~2\MPV.exe
2008-12-04 20:14 2,331,174 a------- c:\programdata\Karaoke.exe
2008-12-04 20:14 2,331,174 a------- c:\progra~2\Karaoke.exe
2008-12-04 16:59 0 a--shr-- c:\windows\system32\drivers\103C_HP_cNB_Pavilion dv7 Notebook PC_Y5335KV_0U_QCND8454QZH_E464632-372_4A_I30F4_SCompal_V99.75_F.13_T081001_WV3-1_L409_M3069_J250_7Intel_8676_92.27_#081108_N10EC8168;80864237_(NE554PA#ABG)_XMOBILE_CN10_Z_2F.13.MRK
2008-12-04 11:34 30,088 a------- c:\windows\system32\drivers\point32k.sys
2008-11-01 16:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 16:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 16:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 16:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 16:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-22 16:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 18:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-17 09:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-17 09:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-01-21 15:43 174 a--sh--- c:\program files\desktop.ini
2006-11-03 01:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-03 01:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-03 01:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-03 01:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 22:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 22:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 22:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 22:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:06:52.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 14 January 2009 - 03:19 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

Saw another topic with this infection. Not sure if it's a false positve. Let's see what we can find.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 A.K

A.K
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 January 2009 - 04:49 PM

Hi PP
Thanks for helping me out, I really appreciate it.
I got those logs which you wanted. just a note about the GMER log: the first time i did it i forgot to close internet explorer and my laptop crashed, so i ran it a second time and after it finished i tried to pull up this website for your instructions and when i got back to the GMER window the scan, copy and save buttons disappeared and i dont know how it happened so i wasnt able to save that log. then i tried to run it for a third time but again i forgot to close IE and my laptop crashed. so this is the log from the 4th time i ran it. in the second scan it found a lot more files than it did in this log which i am posting now and i think for about 5 of them under the value column it said "rootkit like behaviour, copy ..." i assume it said "copy of MBR" or something like that because the other files above this one said "copy of MBR" or similar under the value column.

recently i have installed DIVX player and i think that was it. the shutdown and startup seems to take a long time sometimes. also a couple of days when i get to the login screen the screen resolution changed from my normal 1440*900 to 800*600. this only happened two times and hasn't happened since then.

Thanks again, i really appreciate it
AK


DDS (Ver_09-01-07.01) - NTFSx86
Run by Abhilash Kamineni at 9:46:52.56 on Thu 15/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.64.1033.18.3068.1656 [GMT 13:00][/color]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *disabled*[/color]

============== Running Processes ===============[/color]

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\aestsrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Abhilash Kamineni\Desktop\dds.scr[/color]

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.nz/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Pavilion&pf=cnnb
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Free Uploader Oe Integration] c:\program files\free download manager\fum\fumoei.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALuNotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-nz\local\search.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\free download manager\fum\fumiebtn.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090102.001\IDSvix86.sys [2009-1-6 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-11 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-25 52736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-8-11 109616]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-7-8 96856]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-14 43552]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-6-13 41008]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_a7e996cd\AEstSrv.exe [2008-11-9 77824]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R4 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-19 24880]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-7 149352]
R4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-11 361808]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-8-5 29184016]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408][/color]

=============== Created Last 30 ================

2009-01-14 12:15 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-14 12:13 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-13 16:05 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-01-13 16:04 <DIR> --d----- c:\program files\DivX
2009-01-13 14:52 <DIR> --d----- c:\program files\uTorrent
2009-01-13 14:51 <DIR> --d----- c:\users\abhila~1\appdata\roaming\uTorrent
2009-01-13 13:55 <DIR> --d----- c:\program files\PeerGuardian2
2009-01-09 17:54 <DIR> --d----- c:\windows\SQL9_KB954606_ENU
2009-01-08 18:55 <DIR> --d----- C:\Temp
2009-01-08 15:42 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-08 12:39 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-08 12:39 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-08 12:39 <DIR> --d----- c:\users\abhila~1\appdata\roaming\SUPERAntiSpyware.com
2009-01-08 12:39 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-08 12:38 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-08 12:17 <DIR> --d----- c:\users\abhila~1\appdata\roaming\Malwarebytes
2009-01-08 12:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-08 12:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 12:17 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-08 12:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 12:17 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-08 12:16 428,544 a------- c:\windows\system32\EncDec.dll
2009-01-08 12:16 293,376 a------- c:\windows\system32\psisdecd.dll
2009-01-08 12:16 217,088 a------- c:\windows\system32\psisrndr.ax
2009-01-08 12:16 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-01-08 12:16 80,896 a------- c:\windows\system32\MSNP.ax
2009-01-08 12:16 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-01-08 12:16 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-01-08 12:16 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-01-08 12:16 801,280 a------- c:\windows\system32\NaturalLanguage6.dll
2009-01-08 12:09 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-01-08 12:09 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-01-08 12:09 1,695,744 a------- c:\windows\system32\gameux.dll
2009-01-07 22:47 <DIR> --d----- c:\users\abhilash kamineni\DoctorWeb
2009-01-07 19:12 <DIR> --d----- c:\program files\tcnzActivation
2009-01-07 19:11 <DIR> --d----- c:\program files\common files\Motive
2009-01-07 19:10 <DIR> --d----- c:\programdata\Motive
2008-12-23 03:47 138,240 a------- c:\windows\system32\drivers\Rtlh86.sys
2008-12-23 03:47 10,240 a------- c:\windows\system32\RtNicProp32.dll
2008-12-19 22:31 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2008-12-19 22:30 <DIR> --d----- c:\programdata\WLInstaller
2008-12-17 21:48 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-17 21:39 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-16 23:18 <DIR> --d----- c:\programdata\GRETECH
2008-12-16 23:18 <DIR> --d----- c:\progra~2\GRETECH
2008-12-16 23:17 <DIR> --d----- c:\program files\GRETECH
2008-12-16 22:53 <DIR> --d----- c:\program files\SDP Multimedia
2008-12-16 10:20 2,048 a------- c:\windows\system32\tzres.dll

==================== Find3M ====================

2009-01-15 09:39 87,571 a------- c:\programdata\nvModes.dat
2009-01-15 09:39 87,571 a------- c:\progra~2\nvModes.dat
2009-01-09 17:57 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-09 17:57 51,200 a------- c:\windows\inf\infpub.dat
2009-01-09 17:57 86,016 a------- c:\windows\inf\infstor.dat
2009-01-07 22:23 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-07 22:23 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-07 22:23 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-18 19:54 114,688 a------- c:\windows\system32\msvos.dll
2008-12-11 13:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 13:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 15:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 15:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 15:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 15:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-07 06:56 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-06 11:47 87,608 a------- c:\users\abhila~1\appdata\roaming\inst.exe
2008-12-06 11:47 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-06 11:47 47,360 a------- c:\users\abhila~1\appdata\roaming\pcouffin.sys
2008-12-04 21:56 2,231,606 a------- c:\programdata\Games.exe
2008-12-04 21:56 2,231,606 a------- c:\progra~2\Games.exe
2008-12-04 20:14 3,063,561 a------- c:\programdata\MobileTV.exe
2008-12-04 20:14 3,063,561 a------- c:\progra~2\MobileTV.exe
2008-12-04 20:14 2,989,660 a------- c:\programdata\DVD.exe
2008-12-04 20:14 2,989,660 a------- c:\progra~2\DVD.exe
2008-12-04 20:14 2,864,396 a------- c:\programdata\MPV.exe
2008-12-04 20:14 2,864,396 a------- c:\progra~2\MPV.exe
2008-12-04 20:14 2,331,174 a------- c:\programdata\Karaoke.exe
2008-12-04 20:14 2,331,174 a------- c:\progra~2\Karaoke.exe
2008-12-04 16:59 0 a--shr-- c:\windows\system32\drivers\103C_HP_cNB_Pavilion dv7 Notebook PC_Y5335KV_0U_QCND8454QZH_E464632-372_4A_I30F4_SCompal_V99.75_F.13_T081001_WV3-1_L409_M3069_J250_7Intel_8676_92.27_#081108_N10EC8168;80864237_(NE554PA#ABG)_XMO
BILE_CN10_Z_2F.13.MRK
2008-12-04 11:34 30,088 a------- c:\windows\system32\drivers\point32k.sys
2008-11-17 15:40 3,668,480 a------- c:\windows\system32\drivers\NETw5v32.sys
2008-11-07 05:37 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-07 05:37 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-07 05:35 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-07 05:35 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-07 05:33 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-11-07 05:33 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-11-07 05:33 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-11-07 05:33 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-11-07 05:33 684,032 a------- c:\windows\system32\DivX.dll
2008-11-07 05:33 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-01 16:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 16:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 16:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 16:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 16:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-29 19:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-22 16:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 18:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-17 09:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-17 09:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-01-21 15:43 174 a--sh--- c:\program files\desktop.ini
2006-11-03 01:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-03 01:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-03 01:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-03 01:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 22:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 22:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 22:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 22:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 9:47:16.55 ===============

GMER LOG:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-15 10:34:03
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT 8992BA50 ZwAlertResumeThread
SSDT 8992BB30 ZwAlertThread
SSDT 897FB928 ZwAllocateVirtualMemory
SSDT 897715B0 ZwAlpcConnectPort
SSDT 8992B7A0 ZwCreateMutant
SSDT 897FBB88 ZwCreateThread
SSDT 8992B420 ZwDebugActiveProcess
SSDT 897FB6A0 ZwFreeVirtualMemory
SSDT 8992B890 ZwImpersonateAnonymousToken
SSDT 8992B970 ZwImpersonateThread
SSDT 897FB5A0 ZwMapViewOfSection
SSDT 8992B6C0 ZwOpenEvent
SSDT 897FB9F8 ZwOpenProcessToken
SSDT 8992B500 ZwOpenSection
SSDT 8992B008 ZwOpenThreadToken
SSDT 89953428 ZwResumeThread
SSDT 8992BF28 ZwSetContextThread
SSDT 897FB3D0 ZwSetInformationProcess
SSDT 8992BE38 ZwSetInformationThread
SSDT 8992B5E0 ZwSuspendProcess
SSDT 8992BC78 ZwSuspendThread
SSDT \??\C:\Windows\system32\drivers\CO_Mon.sys ZwTerminateProcess [0x9D075760]
SSDT 8992BD58 ZwTerminateThread
SSDT 897FB4C0 ZwUnmapViewOfSection
SSDT 897FB838 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 820F0914 8 Bytes [ 50, BA, 92, 89, 30, BB, 92, ... ]
.text ntkrnlpa.exe!KeSetTimerEx + 364 820F0928 4 Bytes [ 28, B9, 7F, 89 ]
.text ntkrnlpa.exe!KeSetTimerEx + 370 820F0934 4 Bytes [ B0, 15, 77, 89 ]
.text ntkrnlpa.exe!KeSetTimerEx + 428 820F09EC 4 Bytes [ A0, B7, 92, 89 ]
.text ntkrnlpa.exe!KeSetTimerEx + 454 820F0A18 4 Bytes [ 88, BB, 7F, 89 ]
.text ...

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186723677
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186d665c3
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186d665c3@000fde4d557b 0xDE 0x5A 0x44 0x41 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002186723677
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002186d665c3
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002186d665c3@000fde4d557b 0xDE 0x5A 0x44 0x41 ...

---- Files - GMER 1.0.14 ----

File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF4FA9.tmp 0 bytes
File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF4FCA.tmp 0 bytes
File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF5097.tmp 0 bytes
File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF50B8.tmp 0 bytes
File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF511B.tmp 0 bytes
File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF513C.tmp 0 bytes
File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF5202.tmp 0 bytes
File C:\Users\Abhilash Kamineni\AppData\Local\Temp\~DF5225.tmp 0 bytes

---- EOF - GMER 1.0.14 ----

Attached Files


Edited by PropagandaPanda, 14 January 2009 - 05:41 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 14 January 2009 - 06:34 PM

Hello.

Please tell me what is being flagged as a trojan. Is it a file? A registry item?

Thanks,
The Panda

Edited by PropagandaPanda, 14 January 2009 - 06:47 PM.


#5 A.K

A.K
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 January 2009 - 07:09 PM

Hi PP

I seriously don't know because windows defender isnt telling me anything like a file name, heres all the information i could get out of it:

Category:

Trojan

Description:

This program is dangerous and exploits the computer on which it is run.

Advice:

Remove this software immediately.

Resources:

process:

pid:3992

Summary:

Application Execution change occurred.

This agent scans software just before it runs. You are alerted if the software has a high potential for harming your computer.

Checkpoint:

Running Processes

Does this help in any way? I can give you screenshots of what happens if you want

Thanks
AK




#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 14 January 2009 - 07:23 PM

Hello.

Looks like something has hooked into a windows process.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
With Regards,
The Panda

#7 A.K

A.K
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 January 2009 - 08:04 PM

YUUSSSSS!!! combofix deleted a file and i think it got rid of the trojan.

Also when i reboot i didn't get the warning from windows defender so it seems to have worked.

Thanks PP
AK

Here's the Combofix log:

ComboFix 09-01-13.04 - Abhilash Kamineni 2009-01-15 13:44:22.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3068.1979 [GMT 13:00]
Running from: c:\users\Abhilash Kamineni\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Abhilash Kamineni\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-15 09:57 . 2009-01-15 10:17 439,298,721 --a------ c:\windows\MEMORY.DMP
2009-01-15 09:52 . 2009-01-15 10:19 250 --a------ c:\windows\gmer.ini
2009-01-14 12:15 . 2009-01-14 12:15 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-14 12:13 . 2008-12-16 15:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-13 16:06 . 2009-01-13 16:10 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\DivX
2009-01-13 16:05 . 2009-01-13 16:05 <DIR> d-------- c:\program files\Common Files\PX Storage Engine
2009-01-13 16:04 . 2009-01-13 16:05 <DIR> d-------- c:\program files\DivX
2009-01-13 14:52 . 2009-01-13 14:52 <DIR> d-------- c:\program files\uTorrent
2009-01-13 14:51 . 2009-01-13 17:34 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\uTorrent
2009-01-13 13:55 . 2009-01-13 14:10 <DIR> d-------- c:\program files\PeerGuardian2
2009-01-09 17:54 . 2009-01-09 17:54 <DIR> d-------- c:\windows\SQL9_KB954606_ENU
2009-01-08 18:55 . 2009-01-08 20:34 <DIR> d-------- C:\Temp
2009-01-08 15:42 . 2009-01-08 15:42 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-08 12:39 . 2009-01-08 12:39 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-01-08 12:39 . 2009-01-08 12:39 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\SUPERAntiSpyware.com
2009-01-08 12:39 . 2009-01-08 12:39 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-01-08 12:39 . 2009-01-08 12:39 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-08 12:38 . 2009-01-08 12:38 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-08 12:17 . 2009-01-08 12:17 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-08 12:17 . 2009-01-08 12:17 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\Malwarebytes
2009-01-08 12:17 . 2009-01-08 12:17 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-08 12:17 . 2009-01-08 12:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 12:17 . 2009-01-04 18:41 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-08 12:17 . 2009-01-04 18:41 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-08 12:16 . 2008-06-26 14:45 12,240,896 --a------ c:\windows\System32\NlsLexicons0007.dll
2009-01-08 12:16 . 2008-06-26 14:45 2,644,480 --a------ c:\windows\System32\NlsLexicons0009.dll
2009-01-08 12:16 . 2008-06-26 16:29 801,280 --a------ c:\windows\System32\NaturalLanguage6.dll
2009-01-08 12:16 . 2008-08-05 22:49 428,544 --a------ c:\windows\System32\EncDec.dll
2009-01-08 12:16 . 2008-08-05 22:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-01-08 12:16 . 2008-08-05 22:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-01-08 12:16 . 2008-08-05 22:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-01-08 12:16 . 2008-08-05 22:48 80,896 --a------ c:\windows\System32\MSNP.ax
2009-01-08 12:16 . 2008-04-23 17:41 57,856 --a------ c:\windows\System32\MSDvbNP.ax
2009-01-08 12:09 . 2008-11-01 14:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2009-01-08 12:09 . 2008-03-08 17:21 1,695,744 --a------ c:\windows\System32\gameux.dll
2009-01-08 12:09 . 2008-11-01 16:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2009-01-07 22:47 . 2009-01-07 22:47 <DIR> d-------- c:\users\Abhilash Kamineni\DoctorWeb
2009-01-07 19:42 . 2009-01-07 19:42 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\Motive
2009-01-07 19:12 . 2009-01-07 19:12 <DIR> d-------- c:\program files\tcnzActivation
2009-01-07 19:11 . 2009-01-07 19:11 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-07 19:10 . 2009-01-07 19:12 <DIR> d-------- c:\users\All Users\Motive
2009-01-07 19:10 . 2009-01-07 19:12 <DIR> d-------- c:\programdata\Motive
2008-12-23 03:47 . 2008-12-23 03:47 138,240 --a------ c:\windows\System32\drivers\Rtlh86.sys
2008-12-23 03:47 . 2008-12-23 03:47 10,240 --a------ c:\windows\System32\RtNicProp32.dll
2008-12-21 14:52 . 2008-12-21 14:52 <DIR> d-------- c:\users\Public\CyberLink
2008-12-21 14:52 . 2008-12-24 17:13 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\CyberLink
2008-12-19 22:31 . 2009-01-07 21:48 <DIR> d-------- c:\program files\Windows Live
2008-12-19 22:31 . 2009-01-07 21:48 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-19 22:30 . 2009-01-07 21:46 <DIR> d-------- c:\users\All Users\WLInstaller
2008-12-19 22:30 . 2009-01-07 21:46 <DIR> d-------- c:\programdata\WLInstaller
2008-12-17 21:48 . 2008-10-21 18:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-17 21:39 . 2008-12-17 21:48 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\Winamp
2008-12-17 21:39 . 2008-12-17 21:42 <DIR> d-------- c:\program files\Winamp
2008-12-17 21:39 . 2008-11-07 05:37 129,784 --------- c:\windows\System32\pxafs.dll
2008-12-16 23:18 . 2008-12-16 23:18 <DIR> d-------- c:\users\All Users\GRETECH
2008-12-16 23:18 . 2008-12-16 23:18 <DIR> d-------- c:\programdata\GRETECH
2008-12-16 23:17 . 2008-12-16 23:17 <DIR> d-------- c:\users\Abhilash Kamineni\AppData\Roaming\GRETECH
2008-12-16 23:17 . 2008-12-16 23:17 <DIR> d-------- c:\program files\GRETECH
2008-12-16 22:53 . 2008-12-16 22:53 <DIR> d-------- c:\program files\SDP Multimedia
2008-12-16 10:20 . 2008-10-22 14:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-15 13:46 . 2008-10-29 19:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-15 13:46 . 2008-10-16 17:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-15 13:40 . 2008-06-23 14:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-15 13:40 . 2008-06-23 14:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-15 13:40 . 2008-06-23 14:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-15 13:10 . 2008-12-15 13:10 <DIR> d-------- c:\program files\Microsoft IntelliPoint
2008-12-15 11:16 . 2008-04-26 21:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2008-12-15 11:16 . 2008-04-12 16:32 784,896 --a------ c:\windows\System32\rpcrt4.dll
2008-12-15 11:16 . 2008-04-05 14:21 72,192 --a------ c:\windows\System32\drivers\pacer.sys
2008-12-15 11:16 . 2008-04-05 16:34 15,360 --a------ c:\windows\System32\pacerprf.dll
2008-12-15 10:56 . 2008-04-18 18:48 269,312 --a------ c:\windows\System32\es.dll
2008-12-15 10:55 . 2008-09-18 15:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-12-15 10:55 . 2008-06-26 16:29 303,616 --a------ c:\windows\System32\wmpeffects.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 00:45 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\Free Download Manager
2009-01-15 00:34 87,571 ----a-w c:\users\All Users\nvModes.dat
2009-01-15 00:34 87,571 ----a-w c:\programdata\nvModes.dat
2009-01-14 20:46 --------- d-----w c:\programdata\Microsoft Help
2009-01-13 23:23 --------- d-----w c:\program files\Windows Mail
2009-01-13 23:15 --------- d-----w c:\program files\Java
2009-01-10 01:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 04:54 --------- d-----w c:\program files\Microsoft SQL Server
2009-01-07 09:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-07 09:23 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-07 09:23 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-07 09:23 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-07 09:23 --------- d-----w c:\program files\Symantec
2008-12-21 01:52 --------- d-----w c:\programdata\CyberLink
2008-12-18 06:54 114,688 ----a-w c:\windows\System32\msvos.dll
2008-12-17 09:47 --------- d-----w c:\programdata\Symantec
2008-12-11 00:33 86,016 ----a-w c:\windows\System32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\System32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\System32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\System32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\System32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\System32\dpu11.dll
2008-12-05 22:48 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\Vso
2008-12-05 22:47 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-05 22:47 47,360 ----a-w c:\users\Abhilash Kamineni\AppData\Roaming\pcouffin.sys
2008-12-05 22:47 --------- d-----w c:\program files\DVDFab 5
2008-12-05 22:12 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\ImgBurn
2008-12-05 22:10 --------- d-----w c:\program files\ImgBurn
2008-12-05 21:55 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\RipIt4Me
2008-12-05 20:41 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\HP
2008-12-05 20:19 --------- d-----w c:\users\Guest\AppData\Roaming\Symantec
2008-12-05 06:50 --------- d-----w c:\program files\Google
2008-12-05 04:10 --------- d-----w c:\programdata\FreeDownloadManager.ORG
2008-12-05 04:10 --------- d-----w c:\program files\Free Download Manager
2008-12-04 11:21 --------- d-----w c:\programdata\WildTangent
2008-12-04 08:56 2,231,606 ----a-w c:\users\All Users\Games.exe
2008-12-04 08:56 2,231,606 ----a-w c:\programdata\Games.exe
2008-12-04 08:14 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\PlayFirst
2008-12-04 08:12 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\WildTangent
2008-12-04 07:14 3,063,561 ----a-w c:\users\All Users\MobileTV.exe
2008-12-04 07:14 3,063,561 ----a-w c:\programdata\MobileTV.exe
2008-12-04 07:14 2,989,660 ----a-w c:\users\All Users\DVD.exe
2008-12-04 07:14 2,989,660 ----a-w c:\programdata\DVD.exe
2008-12-04 07:14 2,864,396 ----a-w c:\users\All Users\MPV.exe
2008-12-04 07:14 2,864,396 ----a-w c:\programdata\MPV.exe
2008-12-04 07:14 2,331,174 ----a-w c:\users\All Users\Karaoke.exe
2008-12-04 07:14 2,331,174 ----a-w c:\programdata\Karaoke.exe
2008-12-04 07:14 --------- d-----w c:\programdata\ENU
2008-12-04 04:07 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\Hewlett-Packard
2008-12-04 04:06 --------- d-----w c:\users\Abhilash Kamineni\AppData\Roaming\Symantec
2008-12-04 04:01 --------- d-----w c:\program files\MediaRing
2008-12-04 03:59 0 --sha-r c:\windows\system32\drivers\103C_HP_cNB_Pavilion dv7 Notebook PC_Y5335KV_0U_QCND8454QZH_E464632-372_4A_I30F4_SCompal_V99.75_F.13_T081001_WV3-1_L409_M3069_J250_7Intel_8676_92.27_#081108_N10EC8168;80864237_(NE554PA#ABG)_XMOBILE_CN10_Z_2F.13.MRK
2008-12-03 22:34 30,088 ----a-w c:\windows\system32\drivers\point32k.sys
2008-11-17 02:40 3,668,480 ----a-w c:\windows\system32\drivers\NETw5v32.sys
2008-11-06 16:37 524,288 ----a-w c:\windows\System32\DivXsm.exe
2008-11-06 16:37 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-11-06 16:35 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-11-06 16:35 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\System32\divx_xx0c.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\System32\divx_xx07.dll
2008-11-06 16:33 815,104 ----a-w c:\windows\System32\divx_xx0a.dll
2008-11-06 16:33 802,816 ----a-w c:\windows\System32\divx_xx11.dll
2008-11-06 16:33 684,032 ----a-w c:\windows\System32\DivX.dll
2008-11-06 16:33 12,288 ----a-w c:\windows\System32\DivXWMPExtType.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 01:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 00:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-27 2289664]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-05 39408]
"Free Uploader Oe Integration"="c:\program files\Free Download Manager\FUM\fumoei.exe" [2007-06-10 40960]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-14 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-14 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-19 1033512]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-28 442467]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-25 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-26 468264]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-15 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-02 554288]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-23 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-16 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-16 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2008-02-10 152952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-06-20 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B10E1718-9EF6-4973-B732-8A657A2799C9}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{A7C6E2D9-BE21-442F-8D00-277AB5B6710D}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{3838D068-D356-45DC-9E7D-1F607134F0C0}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{F70860D8-E113-42DF-AEE8-F1EA6678F765}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{2E3D79E0-ACC1-42F3-85D3-20F397574C25}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C744A827-4A8F-4AB2-B6AB-B92CE084BDB5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{5746A857-DB3C-45DD-9B36-7CD433C171CF}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090102.001\IDSvix86.sys [2009-01-06 270384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-08-11 193840]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2008-01-25 52736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-08-11 109616]
R3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [2008-07-08 96856]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [2008-05-14 43552]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\AEstSrv.exe [2008-11-09 77824]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 hpsrv;HP Service;c:\windows\System32\hpservice.exe [2008-03-19 24880]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-07 149352]
R4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-08-11 361808]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2008-01-13 23888]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Abhilash Kamineni.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-08 01:05]

2009-01-15 c:\windows\Tasks\User_Feed_Synchronization-{56FF84F0-A972-4EF0-8A3C-7E0598007618}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 15:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Pavilion&pf=cnnb
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-NZ\local\search.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 13:47:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-15 13:48:46
ComboFix-quarantined-files.txt 2009-01-15 00:48:43

Pre-Run: 152,808,701,952 bytes free
Post-Run: 153,034,268,672 bytes free

295 --- E O F --- 2009-01-14 20:46:51

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 14 January 2009 - 08:06 PM

That's good news.

I'll get back to you tomorrow.

The Panda

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 15 January 2009 - 05:35 PM

Hello.

It seems as though Free Download Manager was causing Windows Defender to detect it as a virus.

It should still be safe to use, though, you will have to live with the warning.

With Regards,
The Panda

#10 A.K

A.K
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 15 January 2009 - 07:19 PM

Oh, really? I just started up fdm now and it is still working so i guess everything is still fine.

If more warnings come up i'll install a new download manager.

Thanks for all your help PP
AK

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 15 January 2009 - 07:30 PM

That's good to hear.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Reset clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear the System Restore cache and create new a restore point.
Looks like you are good to go then.

With Regards,
The Panda

#12 A.K

A.K
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 15 January 2009 - 09:11 PM

Yup, done

Thanks PP
AK

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 16 January 2009 - 08:05 AM

Welcome :thumbsup: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users