Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware infection win32/esfury worm..


  • This topic is locked This topic is locked
14 replies to this topic

#1 bhadkow

bhadkow

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 08 August 2010 - 04:09 PM

hi all., i am on a windows 7 system,amd quad procy4gb ram ,


its been infected by malware after connecting an already infected ext. hdd, i was using microsoft secuirty essentials at that time and it did not detect any malware.,but frequent browser crashers(IE8,chrome,firefox), failure to show hidden files, browser jacking etc were the immediate symptoms. Scanning with kasperky pure didnt help either ,it just blocked a harmful link to payload site from executing, and a later scan after update through MSE showed a worm WIN32/ESFURY , but couldn't quarantine or delete it. then i ran AVG rescue cd through usb and deleted winlogon.exe (created by the worm)., then, installed avira antivirus and scanned the system , it removed few adware, but didn't show any infections. Online scan by windows live care,panda security, bit defender, eset didn't show anything either (note: eset online scan stopped at 99%).,then i googled about the worm and removed changes made by the worm to registry manually through regedit , then scanned with SAS it detected the worms, browser jacking and asked for a restart for quarantine, after restarting i scanned again with MBAM - it showed the same results and asked for a restart, but the problems still persist..

1) whenever i open a folder,its opening in a new window.
2)hidden files are not shown although show hidden option is selected in folder options.
3)running firefox opens up a box for installing aa addon with some random name, selecting no opens firefox ,but its minimized immediately.

most of the programs run fine, no noticible changes in system performance,anti-virus programs run fine, no browser redirections. but clearly the system is still infected, how do i get rid of this.,??? i have generated hijackthis log file, but donot understand it well, can somebody help me cleaning my system? thank you.


i am attaching the log file.

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:36 AM

Posted 16 August 2010 - 02:43 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 bhadkow

bhadkow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 16 August 2010 - 08:47 AM

hello blind faith, thank you for replying,

i solved problems 1,2 mentioned in my previous post by using RRT toolkit from SERGIWA. And for problem 3, i uninstalled firefox (3.6.6), removed all preferences and installed latest version(3.6.8), its good now. Everything else from my previous post is the same. i don't know if there are any hidden malware as there are no noticeable weird stuff happening but, i do not want to take any risks.


here is my dds log..





DDS (Ver_10-03-17.01) - NTFSx86
Run by Sandeep at 18:39:59.94 on 16-08-2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.91.1033.18.3327.2076 [GMT 5.5:30]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Launchy\Launchy.exe
C:\Users\Sandeep\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\Sandeep\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sandeep\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sandeep\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.Google.com
uDefault_Search_URL = hxxp://www.Google.com
uLocal Page = hxxp://www.Google.com
uSearch Page = hxxp://www.Google.com
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [<NO NAME>]
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [<NO NAME>]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\idmmbc.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\sandeep\appdata\roaming\mozilla\firefox\profiles\j72w8jb5.default\
FF - component: c:\users\sandeep\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\sandeep\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 01717042;01717042 Boot Guard Driver;c:\windows\system32\drivers\01717042.sys [2010-8-8 37392]
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
R1 01717041;01717041;c:\windows\system32\drivers\01717041.sys [2010-8-8 128016]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-8 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-8 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-8 60936]
R2 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2009-2-27 143467]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-8-9 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-6-7 240232]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2009-12-17 185640]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-2-25 1047880]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-7-3 66592]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-2-3 1077760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-21 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-5-5 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-5-5 8456]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-3-10 25112]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-25 1343400]

=============== Created Last 30 ================

2010-08-15 08:35:18 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-08-15 08:35:18 430080 ----a-w- c:\windows\system32\MSREPL35.DLL
2010-08-15 08:35:18 368912 ----a-w- c:\windows\system32\VBAR332.DLL
2010-08-15 08:35:18 252176 ----a-w- c:\windows\system32\MSRD2X35.DLL
2010-08-15 08:35:18 24848 ----a-w- c:\windows\system32\MSJTER35.DLL
2010-08-15 08:35:18 123664 ----a-w- c:\windows\system32\MSJINT35.DLL
2010-08-15 08:35:18 1056768 ----a-w- c:\windows\system32\MSJET35.DLL
2010-08-15 08:35:09 299520 ----a-w- c:\windows\uninst.exe
2010-08-10 19:20:03 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-08-10 19:17:35 978432 ----a-w- c:\windows\system32\wininet.dll
2010-08-10 19:17:35 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-08-10 19:16:50 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-10 19:16:50 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-10 19:16:29 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-10 19:16:28 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-08-10 19:16:20 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-08-10 19:16:19 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-08-10 19:16:19 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-10 19:16:19 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-10 19:16:19 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-10 19:16:19 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-08-10 19:16:19 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-09 14:37:00 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-09 14:37:00 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-09 00:36:50 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-08-09 00:36:50 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-08-09 00:36:50 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-08-09 00:36:50 16244 ----a-w- c:\windows\system32\rrt_is.wav
2010-08-08 19:05:15 20 ----a-w- c:\users\sandeep\defogger_reenable
2010-08-08 15:45:46 0 d-----w- c:\users\sandeep\appdata\roaming\SUPERAntiSpyware.com
2010-08-08 15:45:46 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-08 15:42:11 0 d-----w- c:\users\sandeep\appdata\roaming\Malwarebytes
2010-08-08 15:42:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 15:42:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 15:42:02 0 d-----w- c:\programdata\Malwarebytes
2010-08-08 15:42:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 14:19:53 0 d-----w- c:\users\sandeep\appdata\roaming\Avira
2010-08-08 14:00:38 37392 ----a-w- c:\windows\system32\drivers\01717042.sys
2010-08-08 14:00:38 311312 ----a-w- c:\windows\system32\drivers\0171704.sys
2010-08-08 14:00:38 128016 ----a-w- c:\windows\system32\drivers\01717041.sys
2010-08-08 13:28:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-08 13:28:18 0 d-----w- c:\programdata\Avira
2010-08-08 13:28:18 0 d-----w- c:\program files\Avira
2010-08-08 12:12:26 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-08 07:04:17 0 d-----w- c:\program files\Panda Security
2010-07-31 04:42:15 0 d-----w- c:\users\sandeep\appdata\roaming\PhoneRemoteControl
2010-07-31 04:42:15 0 d-----w- c:\program files\Phone Remote Control
2010-07-18 12:41:21 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2010-07-18 12:41:21 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2010-07-18 12:40:26 0 d-----w- c:\programdata\Kaspersky Lab
2010-07-18 11:51:39 0 d-----w- c:\users\sandeep\appdata\roaming\QuickScan
2010-07-18 11:30:02 0 d-----w- c:\programdata\Norton
2010-07-18 11:29:40 0 d-----w- c:\programdata\NortonInstaller
2010-07-17 20:05:12 0 d-sha-r- c:\users\sandeep\Sandeep1

==================== Find3M ====================

2010-07-03 07:27:29 696072 ----a-w- c:\windows\M3N78-VM-1602.zip
2010-06-25 10:31:20 41936 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2010-06-25 10:31:16 142992 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2010-06-25 10:31:16 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll
2010-06-25 10:31:16 111312 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2010-06-25 10:31:16 100496 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2010-06-21 12:54:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-07 12:18:04 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 12:18:04 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 12:18:04 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 12:18:04 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-28 07:28:26 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 08:44:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-02-23 16:09:14 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-02-23 16:09:14 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-02-23 16:09:14 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2010-02-03 11:40:56 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:40:44.93 ===============



and i am attaching the requested gmer log as well, will also attach the 'attach.txt' log from dds scan if you want. hope i have followed your instructions correctly,

thank you smile.gif

Attached Files

  • Attached File  ark.txt   29.96KB   6 downloads

Edited by bhadkow, 16 August 2010 - 08:50 AM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:36 AM

Posted 19 August 2010 - 07:15 AM

Hi,

since you seem to have solved problems 1,2, and 3 I am not sure what tells you that your PC is still infected? Is Avira still picking up infections?

Please run a scan with rootkit unhooker:
Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 bhadkow

bhadkow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 19 August 2010 - 01:35 PM

Avira is not picking up any infections.


Here,s the report.


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #4
==============================================
>Drivers
==============================================
0x93A2F000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 10883072 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 257.21 )
0x9240F000 C:\Windows\system32\DRIVERS\01717041.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x83A1E000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x83A1E000 PnpManager 4259840 bytes
0x83A1E000 RAW 4259840 bytes
0x83A1E000 WMIxWDM 4259840 bytes
0x9BD30000 Win32k 2400256 bytes
0x9BD30000 C:\Windows\System32\win32k.sys 2400256 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x9A687000 C:\Windows\system32\drivers\viahduaa.sys 1515520 bytes (VIA Technologies, Inc., VIA High Definition Audio Function Driver)
0x8CC29000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8C81F000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x94492000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8CA2B000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x8C473000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0xA4476000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x9B54B000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8C52B000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x92019000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x8C98C000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x90C04000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x920E6000 C:\Windows\system32\DRIVERS\nvm62x32.sys 348160 bytes (NVIDIA Corporation, NVIDIA MCP Networking Function Driver.)
0xA4596000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0xA4547000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x929A3000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8C68C000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8C5AA000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x90D0A000 C:\Windows\system32\drivers\vpcvmm.sys 290816 bytes (Microsoft Corporation, Virtual PC Virtual Machine Monitor)
0x9A632000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x8C431000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x90D92000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8CDAC000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8CAE2000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0xA4419000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x94549000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x83E2E000 ACPI_HAL 225280 bytes
0x83E2E000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8C600000 C:\Windows\system32\DRIVERS\vpchbus.sys 221184 bytes (Microsoft Corporation, Virtual PC Host Bus Driver)
0x8C737000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9219D000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8CB72000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x90C5E000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8CD72000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0xA6C78000 C:\Windows\System32\Drivers\RDPWD.SYS 200704 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x9A600000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8CB45000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x8C94E000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0xA6D2A000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x8C641000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8CBA4000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8CB20000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0xA6C3C000 C:\Windows\System32\drivers\rdpdr.sys 151552 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0x8C70B000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x8CBC9000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x920A3000 C:\Windows\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0x93A00000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x90D5A000 C:\Windows\system32\DRIVERS\VBoxDrv.sys 139264 bytes (Oracle Corporation, VirtualBox Support Driver)
0xA4517000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x9292F000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8C77C000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8CA00000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x920C7000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x90CA0000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x9BFC0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x9B4F3000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0xA4454000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x90CDD000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x92183000 C:\Windows\system32\DRIVERS\VBoxNetFlt.sys 106496 bytes (Oracle Corporation, VirtualBox Bridged Networking Driver)
0x9B50E000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x9B5D0000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x9B418000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x9207D000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x9296C000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x945BC000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x945DF000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x921DF000 C:\Windows\system32\DRIVERS\vpcusb.sys 98304 bytes (Microsoft Corporation, Virtual USB Connector Driver)
0x9213B000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x92152000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8C7CE000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x9B480000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x8C6EC000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x9B4DE000 C:\Windows\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0x9B4A2000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8C979000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x9B431000 C:\Windows\system32\drivers\nvhda32v.sys 77824 bytes (NVIDIA Corporation, NVIDIA HDMI Audio Driver)
0x9B538000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x90CF7000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x945AA000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x9B5E9000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x92950000 C:\Windows\system32\DRIVERS\amdppm.sys 69632 bytes (Microsoft Corporation, Processor Device Driver)
0x8CC18000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x9B46F000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x8C76B000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x9A676000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8C66B000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x8C418000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x9B528000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8CC00000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x90D7C000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x8C67C000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x90CBF000 C:\Windows\system32\DRIVERS\vpcnfltr.sys 65536 bytes (Microsoft Corporation, Virtual PC Network Filter Driver)
0x929EE000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x92095000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x90CCF000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8C7C0000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x8C6DE000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8C9E9000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x921D1000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8C59C000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x8C51E000 C:\Windows\system32\DRIVERS\01717042.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0x9459D000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x9B44E000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x92169000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x92176000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0xA4538000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0xA6C6B000 C:\Windows\System32\DRIVERS\tssecsrv.sys 53248 bytes (Microsoft Corporation, TS Security Filter Driver)
0x92000000 C:\Windows\system32\DRIVERS\usbrpm.sys 53248 bytes (Microsoft Corporation, Windows USB Redirection Policy Manager)
0x8C80C000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x90DE7000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x9B4BC000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x8C800000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9B45B000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x92961000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0x9B497000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8C40D000 C:\Windows\system32\mcupdate_AuthenticAMD.dll 45056 bytes (Microsoft Corporation, AMD Microcode Update Library)
0x9B4D3000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x9B4C8000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8C7B5000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x945D4000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8C7E5000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8C636000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x9B444000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x9200D000 C:\Windows\system32\DRIVERS\flpydisk.sys 40960 bytes (Microsoft Corporation, Floppy Driver)
0x90DDD000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x90DD3000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x93A22000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0xA450D000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x92986000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0xA6C61000 C:\Windows\system32\drivers\tdtcp.sys 40960 bytes (Microsoft Corporation, TCP Transport Driver)
0x92999000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x8C72E000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x8C702000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x9B466000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
0x8C9F7000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xA6D6B000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x92990000 C:\Windows\system32\DRIVERS\nvsmu.sys 36864 bytes (NVIDIA Corporation, NVIDIA nForce™ SMU Microcontroller Driver)
0x9BF90000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x90D51000 C:\Windows\system32\DRIVERS\VBoxUSBMon.sys 36864 bytes (Oracle Corporation, VirtualBox USB Monitor Driver)
0x8CDA3000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x94582000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x8C5F2000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x90C90000 C:\Windows\system32\drivers\ws2ifsl.sys 36864 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0x8C429000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8CC10000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BD5000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x8C400000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8C79D000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8C7A5000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8C7AD000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8CDEB000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8CBF2000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x9B4B5000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8CA1F000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0xA446F000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x8C6D7000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x945F7000 C:\Windows\system32\DRIVERS\taphss.sys 28672 bytes (AnchorFree Inc, TAP-Win32 Virtual Network Driver)
0x94591000 C:\Windows\System32\Drivers\VcommMgr.sys 28672 bytes (IVT Corporation., Bluetooth VcommMgr Driver)
0x90C99000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x9458B000 C:\Windows\System32\Drivers\btnetBus.sys 24576 bytes
0x92400000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x90D8C000 C:\Windows\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0x94598000 C:\Windows\System32\Drivers\IvtBtBus.sys 20480 bytes (IVT Corporation., IVT Bluetooth Bus Device Driver)
0x8CDF3000 C:\Windows\System32\Drivers\BtHidBus.sys 16384 bytes (IVT Corporation., Bluetooth HID BUS Driver)
0x92984000 C:\Windows\system32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0x920C5000 C:\Windows\system32\drivers\AsIO.sys 8192 bytes
0x94490000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 257.21 )
0x93A2C000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x945FE000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xA4545000 C:\Windows\system32\DRIVERS\VComm.sys 8192 bytes (IVT Corporation., Bluetooth Serial Port Driver)
0xA45E7000 C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys 4096 bytes (TuneUp Software, TuneUp Utilities Driver)
==============================================
>Stealth
==============================================
0xA6CD3F2E Unknown thread object [ ETHREAD 0x885455E8 ] , 600 bytes


i just want to make sure my system is clean. coz before removing the virus the situation was pretty bad., and i removed a few things manually and am not sure if it was ok to do that. thank you for helping me.. myrti

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:36 AM

Posted 20 August 2010 - 06:17 AM

Hi,

have you since rebooted the PC? If not please do the following:

1. Start Rootkit Unhooker
2. Wait for the main window to show up. Click on the Tools menu.
3. Click on Dump Memory Region.
4. In the Dump Start At text box, please enter "A6CD3F2E", without the quotes.
5. In the Dump Length Is text box, please enter "00000258", without the quotes.
6. Click on the Dump button.
7. A dialog will appear, asking you where to save the dump to. Please save it on your Desktop, as Dump.txt
8. Please attach the "Dump.txt" text file on your desktop in your next post.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 bhadkow

bhadkow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 20 August 2010 - 12:35 PM

no, i haven't rebooted my system..., system uptime 2:06:41:33

the generated dump.txt file is blank!! anyways attaching the blank dump.txt ...., hope i am doing it correctly .


ps: i might shutdown my pc .., tonight..,

Attached Files

  • Attached File  Dump.txt   600bytes   2 downloads

Edited by bhadkow, 20 August 2010 - 12:35 PM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:36 AM

Posted 20 August 2010 - 12:58 PM

Hi,

no, it is possible that it is empty.

Could you please run a scan with gmer as well:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 bhadkow

bhadkow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 20 August 2010 - 06:02 PM

the system crashed(BSOD) after saving the log.., here's the log




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-21 04:26:01
Windows 6.1.7600
Running: xu7coqsn.exe; Driver: C:\Users\Sandeep\AppData\Local\Temp\pgldrpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E48AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E48104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E483F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E312D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E30898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E481DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E48958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E486F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E48F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83E491A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83A61599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83A85F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys A447BC9D 28 Bytes [5E, A9, 87, 07, 05, 08, FE, ...]
.text peauth.sys A447BCC1 28 Bytes [5E, A9, 87, 07, 05, 08, FE, ...]
PAGE peauth.sys A4481E20 101 Bytes [66, C2, EF, 28, F0, D2, 8D, ...]
PAGE peauth.sys A448202C 102 Bytes [01, 64, 04, 51, 34, 35, 01, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Launchy\Launchy.exe[3848] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [756C5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Launchy\Launchy.exe[3848] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [756C5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Launchy\Launchy.exe[3848] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [756C5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Launchy\Launchy.exe[3848] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [756C5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000064 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f81000001
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111@0022fcf659ac 0x11 0xD0 0x2B 0x94 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x68 0x92 0x2B 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x70 0x86 0x22 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xE3 0x8C 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f81000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111@0022fcf659ac 0x11 0xD0 0x2B 0x94 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x68 0x92 0x2B 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x70 0x86 0x22 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xE3 0x8C 0xCC ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----





#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:36 AM

Posted 25 August 2010 - 02:14 AM

Hi,

sorry about the delay. The logs are looking good. Just to be safe please run a scan with Eset:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Do you have any issues with your PC?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 bhadkow

bhadkow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 25 August 2010 - 09:08 AM

here's the scan result....


C:\Users\Sandeep\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\7f3aa7b5-48af5f90 multiple threats deleted - quarantined


i don't find any 'malware type'issues, although sometimes while using chrome, system hangs up for a few seconds.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:36 AM

Posted 26 August 2010 - 01:56 AM

Hi,

I think we are almost done then. As a final step I would remove the programs we used, unless you have any remaining problems? All the logs showed your PC to be clean.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 bhadkow

bhadkow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 26 August 2010 - 05:25 AM

thank you myrti..., thank you bc smile.gif owe u guys 1... tongue.gif

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:36 AM

Posted 26 August 2010 - 06:34 AM

Hi,

you're very welcome!

Read those last few lines, in order to keep your pc safe and clean:
Please do the following to clean up your PC:
  1. Delete the tools used during the disinfection:
    • Download OTC from the following mirrors and save it to your desktop:
    • Double click on
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  2. If OTC faild to remove all programs from your Desktop, please delete the rest manually.
  3. Disable and Enable System Restore.
    You can find instructions on how to disable and reenable system restore here:
    Windows ME System Restore Guide
    Windows XP System Restore Guide
    Windows Vista System Restore Guide

    Note: You should only do this once, not on a regular basis!
    You will not be able to restore computer to any earlier than today!

Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:36 AM

Posted 07 September 2010 - 04:44 AM

Since this topic has gone stale, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users