Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan : Win32/AgentBypass.gen!K and Dr Web crashing


  • This topic is locked This topic is locked
19 replies to this topic

#1 arjuns

arjuns

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 06 February 2009 - 02:57 PM

I had started of with my problem in this thread.

http://www.bleepingcomputer.com/forums/t/199275/trojan-win32agentbypassgenk-and-dr-web-crashing/

I am infected with Trojan : Win32/AgentBypass.gen!K and Windows Defender tells me this every time I boot up. I asked for help in the thread above. I was aked to run MBAM but it did not detect any malware in quick scan and complete scan. I was then told to run Dr Web. But when i click on Dr Web's launch.exe, i get the pop up that says setup.exe has encountered a problem and needs to close. Windows is trying to find a solution to this problem and will notify you when a solution is found message also comes. Then Dr Web just crashes. I tried this in normal mode and safe mode with and without networking. Dr Web is crashing everytime. I was advised to run dds.scr and post the logs here. I have run dds.scr and pasted DDS.txt below and attached Attach.txt to this post. Thank you...


Regards,
Arjun...



DDS (Ver_09-02-01.01) - NTFSx86
Run by Arjun at 1:14:36.66 on 07-02-2009
Internet Explorer: 7.0.6000.16764
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.91.1033.18.2038.932 [GMT 5.5:30]

AV: avast! antivirus 4.8.1296 [VPS 090206-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\altera\quartus60\win\JTAGServer.exe
C:\Windows\system32\lkcitdl.exe
C:\Windows\system32\lkads.exe
C:\Windows\system32\lktsrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\nisvcloc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Windows\system32\vmnat.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Free Download Manager\FUM\fum.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Users\Arjun\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Arjun\AppData\Roaming\Google\Google Talk\googletalk.exe
D:\Arjun\sdc213\StrongDC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Arjun\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 192.168.36.204:8080
uInternet Settings,ProxyOverride = 192.168.*.*;172.16.*.*;127.0.0.1;172.16.*.*.;172.17.*.*;192.168.*.*;*iiit.ac.in;*iiit.net;
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Free Upload Manager] c:\program files\free download manager\fum\fum.exe -autorun
uRun: [Free Uploader Oe Integration] c:\program files\free download manager\fum\fumoei.exe
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [googletalk] c:\users\arjun\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Google Update] "c:\users\arjun\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\users\arjun\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
IE: &Winamp Search - c:\programdata\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\free download manager\fum\fumiebtn.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: eNetHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\arjun\appdata\roaming\mozilla\firefox\profiles\dui7jwhb.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: network.proxy.ftp - 192.168.36.204
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 192.168.36.204
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 192.168.36.204
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.36.204
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 192.168.36.204
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\users\arjun\appdata\roaming\mozilla\firefox\profiles\dui7jwhb.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampPlayer.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\users\arjun\appdata\local\google\update\1.2.133.33\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-6 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-6 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-9-4 51792]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S0 OemBiosDevice;Royalty OEM Bios Extension;c:\windows\system32\drivers\royal.sys [2007-8-30 240128]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]

=============== Created Last 30 ================

2009-01-31 21:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 21:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 21:21 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 16:08 --d----- C:\DoctorWeb
2009-01-28 15:25 --d----- c:\users\arjun\DoctorWeb
2009-01-28 13:58 --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-28 13:58 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-28 13:58 --d----- c:\users\arjun\appdata\roaming\SUPERAntiSpyware.com
2009-01-28 13:58 --d----- c:\program files\SUPERAntiSpyware
2009-01-28 13:56 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-28 13:45 --d----- c:\users\arjun\appdata\roaming\Malwarebytes
2009-01-28 13:45 --d----- c:\programdata\Malwarebytes
2009-01-28 13:45 --d----- c:\progra~2\Malwarebytes
2009-01-25 03:02 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-01-25 03:01 2,048 a------- c:\windows\system32\tzres.dll
2009-01-24 18:03 1,687,040 a------- c:\windows\system32\gameux.dll
2009-01-24 18:03 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-01-24 18:03 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-01-24 18:01 297,472 a------- c:\windows\system32\gdi32.dll
2009-01-24 18:01 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-01-24 18:01 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-01-24 18:01 95,232 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-01-24 18:00 2,923,520 a------- c:\windows\explorer.exe
2009-01-23 14:50 1,645,568 a------- c:\windows\system32\connect.dll
2009-01-23 14:39 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-01-23 14:39 83,456 a------- c:\windows\system32\wudriver.dll
2009-01-23 14:39 162,064 a------- c:\windows\system32\wuwebv.dll
2009-01-23 14:39 31,232 a------- c:\windows\system32\wuapp.exe
2009-01-16 19:35 --d----- c:\users\arjun\appdata\roaming\MathWorks
2009-01-16 19:34 407,104 a------- c:\windows\system32\MSHFLXGD.OCX
2009-01-16 19:34 645,120 a------- c:\windows\system32\config.gms
2009-01-13 19:08 --d----- C:\Miscellaneous

==================== Find3M ====================

2009-01-29 11:44 174 a--sh--- c:\program files\desktop.ini
2008-12-16 08:44 290,304 a------- c:\windows\system32\drivers\srv.sys
2008-11-30 18:25 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2008-11-30 18:25 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2008-11-30 18:24 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2008-08-24 11:28 86,016 a------- c:\windows\inf\infstrng.dat
2008-08-24 11:28 51,200 a------- c:\windows\inf\infpub.dat
2008-08-24 11:28 86,016 a------- c:\windows\inf\infstor.dat
2008-07-15 19:03 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 18:10 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 18:10 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 18:10 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 18:10 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 14:50 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 14:50 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 14:50 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 14:50 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-08-31 20:27 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-08-31 20:27 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-08-31 20:27 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 1:16:04.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 14 February 2009 - 07:22 PM

Hello, arjuns
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • GMER's Log
  • Kaspersky's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 arjuns

arjuns
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 16 February 2009 - 01:19 PM

Hi Bill,

Thanks for looking into my logs. I have pasted the logs of gmer and kaspersky below.

GMER

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-16 17:26:41
Windows 6.0.6000


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x8D4F500A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x8D4F4F4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x8D4F4FAE]

INT 0x51 ? 85D37E58
INT 0x62 ? 85D37E58
INT 0x82 ? 84053BF8
INT 0x82 ? 84053BF8
INT 0x82 ? 85D37E58
INT 0x82 ? 84053BF8
INT 0x92 ? 84053BF8
INT 0xA2 ? 85D37E58

---- Kernel code sections - GMER 1.0.14 ----

? System32\Drivers\spgg.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload 8BE35FEB 5 Bytes JMP 85D37438
.text aw67865g.SYS 8C42F000 22 Bytes [ 8E, 71, 3A, 82, 78, 70, 3A, ... ]
.text aw67865g.SYS 8C42F017 27 Bytes [ 00, 99, 07, 68, 80, A4, 05, ... ]
.text aw67865g.SYS 8C42F033 39 Bytes [ 82, 13, 8A, 07, 82, A3, 8A, ... ]
.text aw67865g.SYS 8C42F05B 6 Bytes [ 82, 70, 18, 08, 82, E2 ]
.text aw67865g.SYS 8C42F062 84 Bytes [ 08, 82, 58, 68, 05, 82, 8C, ... ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Users\Arjun\Desktop\gmer\gmer.exe[2260] ntdll.dll!NtCreateFile + 3 77B1F417 2 Bytes [ 53, FA ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [81F056D2] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [81F05040] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [81F057FC] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [81F050BE] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [81F0513C] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [81F14D92] \SystemRoot\System32\Drivers\spgg.sys
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortCompleteRequest] D1642446
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 7E398C43
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] C7077528
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortMoveMemory] D1902846
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortReadPortUshort] 468B8C43
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7468016A
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\aw67865g.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\system32\services.exe[572] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00190002
IAT C:\Windows\system32\services.exe[572] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00190000
IAT C:\Windows\Explorer.EXE[1152] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6BBADE6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4120] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 84E0A1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\netbt \Device\NetBT_Tcpip_{310BE242-1C90-46D2-9673-E8D7045689E2} 8682E1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 840551F8
Device \Driver\usbuhci \Device\USBPDO-0 85DB91F8
Device \Driver\usbuhci \Device\USBPDO-1 85DB91F8
Device \Driver\usbuhci \Device\USBPDO-2 85DB91F8
Device \Driver\usbuhci \Device\USBPDO-3 85DB91F8
Device \Driver\usbehci \Device\USBPDO-4 85DB81F8

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\volmgr \Device\HarddiskVolume1 840551F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 840551F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 85DC31F8
Device \Driver\volmgr \Device\HarddiskVolume3 840551F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E081F8
Device \Driver\atapi \Device\Ide\IdePort0 84E081F8
Device \Driver\atapi \Device\Ide\IdePort1 84E081F8
Device \Driver\atapi \Device\Ide\IdePort2 84E081F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 84E091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 84E081F8
Device \Driver\msahci \Device\Ide\PciIde1Channel2 84E091F8
Device \Driver\volmgr \Device\HarddiskVolume4 840551F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\netbt \Device\NetBt_Wins_Export 8682E1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{1CA30117-6F73-4CCF-AFFC-08E4D9B56637} 8682E1F8
Device \Driver\Smb \Device\NetbiosSmb 868271F8
Device \Driver\PCI_PNP5560 \Device\0000005b spgg.sys
Device \Driver\iScsiPrt \Device\RaidPort0 85DC8500

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\sptd \Device\3341119594 spgg.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{6CA8809E-9986-4577-91DF-1762A5C1B8AB} 8682E1F8
Device \Driver\usbhub \Device\0000006b hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-0 85DB91F8
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbhub \Device\0000006c hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-1 85DB91F8
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
Device \Driver\usbhub \Device\0000006d hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-2 85DB91F8
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys
Device \Driver\usbhub \Device\0000006e hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-3 85DB91F8
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys
Device \Driver\usbhub \Device\0000006f hcmon.sys
Device \Driver\usbehci \Device\USBFDO-4 85DB81F8
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{640E8363-17E6-4D4B-9B0B-9096EF8E84B6} 8682E1F8
Device \Driver\aw67865g \Device\Scsi\aw67865g1 85DC61F8
Device \FileSystem\cdfs \Cdfs 87CDB1F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197effd6f2
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197effd6f2@001b33d39109 0x52 0x85 0x64 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2C 0x13 0x16 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0x63 0xB2 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE6 0xE7 0x5D 0xDB ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00197effd6f2
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00197effd6f2@001b33d39109 0x52 0x85 0x64 0x1E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2C 0x13 0x16 0x64 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0x63 0xB2 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE6 0xE7 0x5D 0xDB ...

---- EOF - GMER 1.0.14 ----


Kaspersky

Monday, February 16, 2009
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 16, 2009 13:18:18
Records in database: 1803385


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 347680
Threat name 1
Infected objects 12
Suspicious objects 0
Duration of the scan 04:25:15

File name Threat name Threats count
D:\Arjun\sdc213\Downloads\placements\Placement_ques\Companies papers\general\INTERVIEW\Interview-Tips.zip.gz Infected: Trojan.IRC.KarmaHotel 12

The selected area was scanned.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 16 February 2009 - 04:01 PM

Hello, arjuns
It appears that the failure of Dr. Web is related to Avast's "Self Protection Module".

Do you have any other symptoms of infection besides Windows Defender's warning? Does Defender list a location for what it finds?

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    D:\Arjun\sdc213\Downloads\placements\Placement_ques\Companies papers\general\INTERVIEW\Interview-Tips.zip.gz
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
In your next reply, please include the following:
  • OTMoveIt3's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 arjuns

arjuns
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 20 February 2009 - 10:25 AM

Hi Bill,

Should I try running Dr Web with Avast disabled or uninstalled?

There are no other harmful symptoms other than windows defender's warning. Defender does not give any location for it.

I have pasted the log of OTMoveIt below. It did not ask me to reboot the machine.



========== FILES ==========
D:\Arjun\sdc213\Downloads\placements\Placement_ques\Companies papers\general\INTERVIEW\Interview-Tips.zip.gz moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02202009_205028

Thanks Bill,
Regards,
Arjun

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 20 February 2009 - 06:38 PM

Hello, arjuns
After resetting system restore, please let me know if Defender is still complaining.

Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start -> Control Panel -> System and Maintenance -> System.
  • Select "System Protection" in the upper left hand corner.
  • Click the button marked "Create" in the bottom of the window.
  • Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Open Vista's Searchbox (on your start menu) and type in "cleanmgr.exe"
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up", and then "Delete" in the "System Restore and Shadow Copies" section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 arjuns

arjuns
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 21 February 2009 - 01:54 AM

Hi Bill,

Yes Defender is still complaining even after system restore :thumbup2:

Regards,
Arjun

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 21 February 2009 - 08:45 PM

Please go to Start -> Control Panel -> Security -> Windows Defender.

Click "History" on the top of the window.

Click the blue text which says "Quarantined Items".

Let me know what some of the names are, please.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 arjuns

arjuns
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 21 February 2009 - 11:52 PM

Hi Bill,

I get Name:Trojan : Win32/AgentBypass.gen!K with Alert Level : Severe, action taken : quarantine, and Status : succeeded when i go to history of windows defender. But, when i click on the blue quarantined items link, i get zero names in the list. Thanks Bill...

Regards,
Arjun

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 22 February 2009 - 12:52 AM

Hello, arjuns
More information on that infection:
http://onecare.live.com/site/en-us/virusen...ypass.gen!K

That detection is a hueristics detection -- it's not identifying a specific malware threat. It is possible -- though unlikely -- a legitimate application is causing the issue.

Unfortunately, if Defender doesn't give us a filename to work with, there is little I can do about it at this point.

High on the list of possible culprits are:

Daemon Tools
Avast Self Protection Module
Yahoo Messenger

Far as I can tell, this may be a mistake on the part of defender -- but you may want to give removal of those a shot.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 arjuns

arjuns
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 24 February 2009 - 01:38 PM

Hi Bill,

In windows defender, it gives a process id along with the warning. I saw the process id in task manager and saw that it was corresponding to free download manager software. So I uninstalled free download manager software and now I dont get more warnings at all.

However, I am still not able to run Dr Web and it still keeps crashing. I tried uninstalling the mentioned software and turning off Avast's self protection feature, but Dr Web still crashes.

One more thing, I am not getting any defender warnings and all, but is there some way I can be absolutely sure that I am really "disinfected" and clean? Thanks Bill.

Regards,
Arjun

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 24 February 2009 - 04:29 PM

Hello, arjuns

However, I am still not able to run Dr Web and it still keeps crashing. I tried uninstalling the mentioned software and turning off Avast's self protection feature, but Dr Web still crashes.

One more thing, I am not getting any defender warnings and all, but is there some way I can be absolutely sure that I am really "disinfected" and clean? Thanks Bill.

Not entirely sure why Dr. Web won't run ... there are lots of reasons that can happen -- not always malware.

We can be reasonably sure your machine is fine -- It passed the Kaspersky scan, only file found being this one ->
D:\Arjun\sdc213\Downloads\placements\Placement_ques\Companies papers\general\INTERVIEW\Interview-Tips.zip.gz Infected: Trojan.IRC.KarmaHotel 12

If you want you can give this scanner a shot as well.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 arjuns

arjuns
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 February 2009 - 02:04 PM

Hi Bill,

I scanned my laptop with ESET Online Scanner and I have pasted the log below. Thanks Bill.

Regards,
Arjun


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3892 (20090226)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=273c09386b2ab24faf14557d92fe8100
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-26 06:48:33
# local_time=2009-02-27 12:18:33 (+0530, India Standard Time)
# country="India"
# osver=6.0.6000 NT
# scanned=897287
# found=0
# scan_time=7618

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 26 February 2009 - 03:39 PM

Hello, arjuns
You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
We need to run a Scan with DDS
  • Please download DDS, and save it to your desktop, from one of the following mirrors:
  • Disable any type of "Script Blockers" or "Script Protection" installed on your system.
  • Double click Posted Image on your desktop.
  • If prompted by any script blocking tools, please allow any actions taken by DDS.
  • Two reports will open. Please reply with the generated reports:
    • DDS.txt <-- Copy and paste into your next post
    • Attach.txt <-- Attach to your next post
In your next reply, please include the following:
  • DDS.txt
  • Attach.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:20 AM

Posted 02 March 2009 - 07:20 PM

Hello, arjuns
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users