Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

referred from am I infected


  • This topic is locked This topic is locked
2 replies to this topic

#1 langdon auger

langdon auger

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 06 December 2009 - 02:58 AM

Hi.

I am having a problem with a suspicious file as mentioned here http://www.bleepingcomputer.com/forums/t/273819/possible-trojan-in-my-isp-connection/. I ran rootrepeal as requested by the moderator garmanma and they said it indicated problems and that I should post here. Since it might have been some time before someone had a chance to help me I wiped the hard drive with daraks boot and nuke then reinstalled windows. But as soon as I installed my internet connection, from a disc from my ISP the suspicious file had returned. I had not connected to the internet at this stage and the only discs that had been run on the system were from microsoft, dell and my ISP. So I guess that the file, that is scanned as malicious by 20% of the scanners at virustotal must be ok. About a week ago I submitted it to Avira for analysis but I have not heard back yet.

Could someone check that my new rootrepeal log is now clear of problems.

Also, is it at all possible for malware to survive a reinstall in the bios.

Thanks.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 17:01:15.51 on Sun 12/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.107 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com.au
uSearch Bar = hxxp://www.google.com.au
mSearch Bar = hxxp://www.google.com.au
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259654086390
Notify: igfxcui - igfxdev.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-3 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-4 221264]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-4 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-4 29776]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-3 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-3 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-3 55656]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-12-4 1282248]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-12-4 3291336]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-12-4 115312]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]

=============== Created Last 30 ================

2009-12-06 06:28:39 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-06 06:28:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-06 06:28:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-06 06:28:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-06 06:28:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-06 06:27:05 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-12-06 06:27:03 0 d-----w- c:\program files\SpywareBlaster
2009-12-04 08:14:47 0 d-----w- C:\downloads
2009-12-04 08:13:57 0 d-----r- C:\Sandbox
2009-12-04 08:13:21 1338 ----a-w- c:\windows\Sandboxie.ini
2009-12-04 08:13:02 0 d-----w- c:\program files\Sandboxie
2009-12-04 08:06:11 115312 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2009-12-04 08:06:07 0 d-----w- c:\program files\KeyScrambler
2009-12-04 07:50:00 0 d-----w- c:\program files\CCleaner
2009-12-04 06:47:09 0 d-----w- c:\docume~1\owner\applic~1\OnlineArmor
2009-12-04 06:47:09 0 d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-12-04 06:46:50 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2009-12-04 06:46:50 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2009-12-04 06:46:50 221264 ----a-w- c:\windows\system32\drivers\OADriver.sys
2009-12-04 06:46:49 0 d-----w- c:\program files\Tall Emu
2009-12-03 10:20:29 0 d-sh--w- c:\documents and settings\owner\IECompatCache
2009-12-03 09:20:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 09:20:30 0 d-----w- c:\program files\Avira
2009-12-03 09:20:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-12-02 10:18:49 0 d-----w- c:\windows\ie8updates
2009-12-02 09:18:44 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-02 09:18:44 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-02 09:18:44 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-02 09:18:43 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-02 09:18:43 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-02 09:18:40 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-02 08:28:37 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-02 08:20:59 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-02 08:09:35 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-02 07:25:26 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-12-02 07:25:26 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-12-02 07:25:26 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-12-02 07:25:26 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-12-02 07:25:26 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-02 07:25:26 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-12-02 07:25:26 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-12-02 07:25:26 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-02 07:25:26 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-12-02 07:25:25 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-02 07:25:24 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-02 07:25:24 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-02 07:09:56 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-12-02 07:09:56 1203922 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2009-12-02 07:09:55 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-12-02 07:02:29 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-12-02 06:57:13 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-02 06:52:18 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-12-02 06:49:14 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-12-02 06:43:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-02 06:35:48 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-12-02 06:33:48 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-12-01 09:04:40 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2009-12-01 09:00:55 178672 ----a-r- c:\windows\system32\drivers\ctoss2k.sys
2009-12-01 08:59:09 0 d-----w- c:\program files\Creative
2009-12-01 08:56:35 0 d-sh--w- c:\documents and settings\owner\IETldCache
2009-12-01 08:53:29 0 dc-h--w- c:\windows\ie8
2009-12-01 07:49:33 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-12-01 07:45:04 0 d-----w- c:\windows\system32\PreInstall
2009-12-01 07:45:02 0 d--h--w- c:\windows\$hf_mig$
2009-12-01 07:33:07 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2009-12-01 07:33:07 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2009-12-01 07:33:07 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2009-12-01 07:33:07 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-12-01 07:33:07 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-12-01 07:26:43 0 d-sh--w- c:\documents and settings\owner\UserData
2009-12-01 07:22:08 0 d-----w- c:\program files\Qualcomm
2009-12-01 07:22:06 0 d-----w- c:\program files\TADAust Connect
2009-12-01 07:14:15 475 ----a-w- c:\windows\dellstat.ini
2009-12-01 07:13:13 0 d-----w- c:\program files\Dell Photo AIO Printer 922
2009-12-01 07:12:42 0 d-----w- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-12-01 07:12:42 0 d-----w- C:\Temp
2009-12-01 07:11:50 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-12-01 07:11:50 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-01 07:11:46 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-01 07:11:46 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-01 07:11:34 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-12-01 07:11:34 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-12-01 06:56:38 87040 -c----w- c:\windows\system32\dllcache\drmstor.dll
2009-12-01 06:55:05 0 d-----w- c:\windows\network diagnostic
2009-12-01 06:55:03 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys
2009-12-01 06:55:02 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2009-12-01 06:53:43 19569 ----a-w- c:\windows\004798_.tmp
2009-12-01 06:32:19 335 ----a-w- c:\windows\mozregistry.dat
2009-12-01 06:32:19 0 d-----w- c:\program files\Netscape
2009-12-01 06:31:17 9728 ----a-w- c:\windows\system32\rnaph.dll
2009-12-01 06:22:12 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-12-01 06:20:34 1902 ------w- c:\windows\system32\SetupBD.din
2009-12-01 06:20:20 5110 ----a-w- c:\windows\system32\e100b325.din
2009-12-01 06:20:20 24064 ----a-w- c:\windows\system32\IntelNic.dll
2009-12-01 06:20:20 154112 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2009-12-01 06:20:20 154112 ----a-w- c:\windows\system32\drivers\e100b325.sys
2009-12-01 06:20:20 12288 ----a-w- c:\windows\system32\e100bmsg.dll
2009-12-01 06:20:20 118784 ----a-w- c:\windows\system32\Prounstl.exe
2009-12-01 06:20:20 0 d-----w- C:\drvrtmp
2009-12-01 06:19:17 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2009-12-01 06:19:16 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2009-12-01 06:19:14 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2009-12-01 06:19:13 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-12-01 06:19:13 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2009-12-01 06:19:12 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-12-01 06:19:12 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-12-01 06:19:12 129536 -c--a-w- c:\windows\system32\dllcache\ksproxy.ax
2009-12-01 06:19:12 129536 ----a-w- c:\windows\system32\ksproxy.ax
2009-12-01 06:19:07 0 d-----w- c:\program files\CONEXANT
2009-12-01 06:18:44 680704 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2009-12-01 06:18:44 32218 ----a-w- c:\windows\system32\HSFCI008.dll
2009-12-01 06:18:44 212224 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
2009-12-01 06:18:44 128398 ----a-w- c:\windows\system32\drivers\del200f.cty
2009-12-01 06:18:44 1042432 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2009-12-01 06:11:21 446464 ----a-r- c:\windows\system32\hhactivex.dll
2009-12-01 06:11:21 176128 ----a-w- c:\windows\system32\RcdScan.dll
2009-12-01 06:11:20 7348 ----a-w- c:\windows\system32\Odbcjet.cnt
2009-12-01 06:11:20 645616 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2009-12-01 06:11:20 414944 ----a-w- c:\windows\system32\COMCT332.OCX
2009-12-01 06:11:20 328480 ----a-w- c:\windows\system32\ssa3d30.ocx
2009-12-01 06:11:20 171967 ----a-w- c:\windows\system32\Odbcjet.hlp
2009-12-01 06:11:20 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-12-01 06:11:19 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-12-01 06:11:17 13632 ------w- c:\windows\system32\drivers\omci.sys
2009-11-30 19:17:52 0 d-----w- c:\program files\common files\ODBC
2009-11-30 19:17:50 0 d-----w- c:\program files\common files\SpeechEngines
2009-11-30 19:17:31 0 d-----r- c:\documents and settings\all users\Documents
2009-11-30 09:23:56 0 d-sh--w- c:\documents and settings\all users\DRM
2009-11-30 09:22:52 0 d-----w- c:\program files\common files\MSSoap
2009-11-30 09:21:55 0 d--h--w- c:\program files\WindowsUpdate
2009-11-30 09:21:55 0 d-----w- c:\program files\Online Services
2009-11-30 09:21:50 0 d-----w- c:\program files\Messenger
2009-11-30 09:21:46 0 d-----w- c:\program files\MSN Gaming Zone
2009-11-30 09:21:21 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2009-11-30 09:22:33 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 17:02:31.26 ===============

Attached Files


Edited by langdon auger, 07 December 2009 - 02:20 AM.


BC AdBot (Login to Remove)

 


#2 langdon auger

langdon auger
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 17 December 2009 - 07:18 PM

Don't worry, everything seems ok now.

#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:22 AM

Posted 19 December 2009 - 01:04 PM

Thanks for letting us know and good luck in the future. :(


Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users