Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe running hidden in background


  • This topic is locked This topic is locked
3 replies to this topic

#1 LLLLLLLLL

LLLLLLLLL

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 31 July 2010 - 10:01 AM

I've had this annoying bugger on my PC for about a week now. It doesn't create any annoying popups or anything, but I know it's running in the background. GMER's initial scan detects it, too.

The worst part: scans with Antimalwarebytes, Spybot, Avira, and Avast all missed it. This one's sneaky.

Here are the scan logs:
DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Rob at 18:15:50.15 on Fri 07/30/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.1980 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

svchost.exe 4
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe 4
C:WINDOWSSystem32WLTRYSVC.EXE
C:WINDOWSSystem32bcmwltry.exe
C:Program FilesAlwil SoftwareAvast5AvastSvc.exe
C:WINDOWSExplorer.EXE
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32WLTRAY.exe
C:Program FilesDellQuickSetquickset.exe
C:WINDOWSstsystra.exe
C:WINDOWSsystem32KADxMain.exe
C:Program FilesDellMediaDirectPCMService.exe
C:Program FilesHPDfawepbinhpbdfawep.exe
C:WINDOWSsystem32rundll32.exe
C:PROGRA~1ALWILS~1Avast5avastUI.exe
C:WINDOWSsystem32ctfmon.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe
C:Program FilesDell Network Assistantezi_hnm2.exe
C:Program FilesDigital Line DetectDLG.exe
C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
C:Program FilesOpenOffice.org 2.3programsoffice.exe
C:Program FilesOpenOffice.org 2.3programsoffice.BIN
C:WINDOWSsystem32spoolsv.exe
svchost.exe
svchost.exe
C:Program FilesDell Network Assistanthnm_svc.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32PnkBstrA.exe
C:WINDOWSsystem32PnkBstrB.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsRobDesktopdds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Google Update] "c:documents and settingsroblocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Broadcom Wireless Manager UI] c:windowssystem32WLTRAY.exe
mRun: [Dell QuickSet] c:program filesdellquicksetquickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:windowssystem32KADxMain.exe
mRun: [PCMService] "c:program filesdellmediadirectPCMService.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [BootSkin Startup Jobs] "c:progra~1stardockwincus~1bootskinBootSkin.exe" /StartupJobs
mRun: [hpbdfawep] c:program fileshpdfawepbinhpbdfawep.exe 1
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [avast5] c:progra~1alwils~1avast5avastUI.exe /nogui
mRun: [amd_dc_opt] c:program filesamddual-core optimizeramd_dc_opt.exe
dRun: [cckebwsh] c:documents and settingsnetworkservicelocal settingsapplication datawjrpptbtbeaipvsptssd.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:docume~1robstartm~1programsstartuponenot~1.lnk - c:program filesmicrosoft officeoffice12ONENOTEM.EXE
StartupFolder: c:docume~1robstartm~1programsstartupopenof~1.lnk - c:program filesopenoffice.org 2.3programquickstart.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupdellne~1.lnk - c:windowsinstaller{0240bdfb-2995-4a3f-8c96-18d41282b716}Icon0240BDFB3.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupdigita~1.lnk - c:program filesdigital line detectDLG.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~3office12EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~3office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office11REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
Hosts: 0.0.0.0 wikia-ads.wikia.com
Hosts: 0.0.0.0 ads.wikia.nocookie.net
Hosts: 0.0.0.0 dynamic.media.adrevolver.com
Hosts: 0.0.0.0 media.adrevolver.com
Hosts: 0.0.0.0 tags.expo9.exponential.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:docume~1robapplic~1mozillafirefoxprofiles7gp5c45l.default
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:documents and settingsall usersapplication dataid softwarequakelivenpquakezero.dll
FF - plugin: c:documents and settingsroblocal settingsapplication datagoogleupdate1.2.183.29npGoogleOneClick8.dll
FF - plugin: c:program filesgooglegoogle earthpluginnpgeplugin.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesgoogleupdate1.2.183.29npGoogleOneClick8.dll
FF - plugin: c:program filesmicrosoftweb platform installerNPWPIDetector.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpActiveGS.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPTURNMED.dll
FF - plugin: c:program filesvirtual earth 3dnpVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:program filesmozilla firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:windowssystem32driversaswSP.sys [2009-2-24 165456]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2009-2-24 17744]
R2 avast! Antivirus;avast! Antivirus;c:program filesalwil softwareavast5AvastSvc.exe [2010-4-24 40384]
R2 cpuz132;cpuz132;c:windowssystem32driverscpuz132_x32.sys [2010-2-9 12672]
R3 avast! Mail Scanner;avast! Mail Scanner;c:program filesalwil softwareavast5AvastSvc.exe [2010-4-24 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:program filesalwil softwareavast5AvastSvc.exe [2010-4-24 40384]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:windowssystem32driversManyCam.sys [2008-1-14 21632]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-4-28 136176]
S3 BTCAMDRV;Mobiola Web Camera driver;c:windowssystem32driversBTCamDrv.sys [2008-11-21 219264]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:windowssystem32driversnmwcdnsu.sys [2009-3-18 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:windowssystem32driversnmwcdnsuc.sys [2009-3-18 8320]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:documents and settingsrobdesktopapplicationsreal tempWinRing0.sys [2009-4-6 14416]

=============== Created Last 30 ================

2010-07-30 23:07:42 176 ----a-w- c:documents and settingsrobdefogger_reenable
2010-07-30 21:41:56 9522 ----a-w- c:windowsZapotec.bmp
2010-07-30 21:41:56 65978 ----a-w- c:windowsSoap Bubbles.bmp
2010-07-30 21:41:56 65954 ----a-w- c:windowsPrairie Wind.bmp
2010-07-30 21:41:56 65832 ----a-w- c:windowsSanta Fe Stucco.bmp
2010-07-30 21:41:56 26680 ----a-w- c:windowsRiver Sumida.bmp
2010-07-30 21:41:56 26582 ----a-w- c:windowsGreenstone.bmp
2010-07-30 21:41:56 17362 ----a-w- c:windowsRhododendron.bmp
2010-07-30 21:41:56 17336 ----a-w- c:windowsGone Fishing.bmp
2010-07-30 21:41:56 17062 ----a-w- c:windowsCoffee Bean.bmp
2010-07-30 21:41:56 16730 ----a-w- c:windowsFeatherTexture.bmp
2010-07-30 21:41:56 1272 ----a-w- c:windowsBlue Lace 16.bmp
2010-07-30 21:41:55 214528 ----a-w- c:windowssystem32dllcachewordpad.exe
2010-07-30 21:39:38 343040 ----a-w- C:mspaint.exe
2010-07-24 22:32:10 34304 ----a-w- c:windowssystem32driversAmdLLD.sys
2010-07-24 22:32:05 0 d-----w- c:program filesAMD
2010-07-24 22:31:09 0 d-----w- c:windowssystem32AGEIA
2010-07-24 22:30:59 0 d-----w- c:program filescommon filesWise Installation Wizard
2010-07-23 01:10:13 23558 ----a-w- c:windowsWord Clock.ico
2010-07-23 01:10:12 2170398 ----a-w- c:windowsWord Clock.scr
2010-07-23 01:10:12 0 d-----w- c:windowsWord Clock Uninstaller
2010-07-16 23:50:37 0 d-----w- c:program filesSkulltag
2010-07-14 00:18:49 743936 ------w- c:windowssystem32dllcachehelpsvc.exe
2010-07-09 04:12:14 294912 ------w- c:windowssystem32dllcachemsctf.dll
2010-07-01 19:27:01 38848 ----a-w- c:windowsavastSS.scr

==================== Find3M ====================

2010-07-27 23:31:05 100629 ----a-w- c:windowssystem32nvModes.dat
2010-05-02 05:56:34 1850880 ----a-w- c:windowssystem32win32k.sys
2010-05-02 05:56:34 1850880 ------w- c:windowssystem32dllcachewin32k.sys
2006-05-03 09:06:54 163328 --sh--r- c:windowssystem32flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:windowssystem32msfDX.dll
2007-12-17 12:43:00 27648 --sh--w- c:windowssystem32Smab0.dll

============= FINISH: 18:16:01.56 ===============

GMER (this one took forever)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-31 00:29:12
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:DOCUME~1RobLOCALS~1Temppgrdqpow.sys


---- System - GMER 1.0.15 ----

SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB77CFCD2]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB77CFB8E]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB77D0142]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB77D006C]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB77CF764]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB77CFC68]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB77CF6A4]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB77CF708]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB77CFD88]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB77D0210]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB77CFD48]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB77CFEC8]

Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB77DCB9C]
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB77DC9C0]
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB77DCAFA]
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 80582FD6 7 Bytes JMP B77DCAFE SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AA25E 7 Bytes JMP B77DC9C4 SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BB35A 5 Bytes JMP B77D85B4 SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C1C90 5 Bytes JMP B77D9F6C SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE96 7 Bytes JMP B77DCBA0 SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
.text C:WINDOWSsystem32DRIVERSnv4_mini.sys section is writeable [0xB8F66380, 0x2F18C7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:Program FilesMozilla Firefoxfirefox.exe[1368] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:Program FilesMozilla Firefoxfirefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device FileSystemNtfs Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice FileSystemNtfs Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice DriverTcpip DeviceIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice DriverKbdclass DeviceKeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice DriverKbdclass DeviceKeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice DriverTcpip DeviceTcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device DriverBTHUSB Device00000088 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice DriverTcpip DeviceUdp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice DriverTcpip DeviceRawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device DriverBTHUSB Device0000008a bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device FileSystemFastfat Fat B3F50C8A

AttachedDevice FileSystemFastfat Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice FileSystemFastfat Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys0002721aba7f
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys0002721aba7f@001a89a34110 0xEB 0x51 0x22 0x46 ...
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys0002721aba7f@00157180520b 0xB9 0x0B 0x55 0x23 ...
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys0015832a5058
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys0015832a5058@001a89a34110 0x8F 0x71 0x14 0xA7 ...
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys0015832a5058@00157180520b 0x54 0x83 0xFD 0x56 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFC 0x41 0x95 0x8E ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0xD5 0x10 0x6C 0xE8 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0x49 0x12 0x02 0x60 ...
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys0002721aba7f (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys0002721aba7f@001a89a34110 0xEB 0x51 0x22 0x46 ...
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys0002721aba7f@00157180520b 0xB9 0x0B 0x55 0x23 ...
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys0015832a5058 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys0015832a5058@001a89a34110 0x8F 0x71 0x14 0xA7 ...
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys0015832a5058@00157180520b 0x54 0x83 0xFD 0x56 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFC 0x41 0x95 0x8E ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0xD5 0x10 0x6C 0xE8 ...
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0x49 0x12 0x02 0x60 ...
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{0E1034A1-2537-9C4C-1A58-1F76FF89D844}
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{0E1034A1-2537-9C4C-1A58-1F76FF89D844}@ialngmnjmljehpjfoh 0x6B 0x61 0x68 0x70 ...
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{0E1034A1-2537-9C4C-1A58-1F76FF89D844}@haboifnphclfbhpa 0x6B 0x61 0x68 0x70 ...

---- Files - GMER 1.0.15 ----

File C:Documents and SettingsRobLocal SettingsApplication DataMozillaFirefoxProfiles7gp5c45l.defaultCache30852E6Cd01 145645 bytes

I did another scan with Avast last night, and it found a file belonging to the Unruy-M trojan. The problem is still there, however, but that might help.

Attached Files


Edited by Budapest, 05 August 2010 - 05:15 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:42 PM

Posted 08 August 2010 - 11:49 AM

Hi L
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista and Windows 7 users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:42 PM

Posted 11 August 2010 - 10:02 AM

Hi
If you still require help. please respond to this thread or it will be closed in 48 hours.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:42 PM

Posted 15 August 2010 - 09:13 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users