Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast / Malware.Trace and Trojan.agent/ Gen-Nullo Short


  • This topic is locked This topic is locked
2 replies to this topic

#1 lost432

lost432

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 07 December 2010 - 02:22 AM

hello,

i have run many scanners. they all find something. i have been
reading for days. i am tired and totally confused. looks like they were stealing identity info?
i ran gmer the attached is the one it did, there is also a second one. i do not think you want this one as it is a mile long?

john



DDS (Ver_10-12-05.01) - NTFSx86
Run by john at 22:51:55.63 on Mon 12/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2376 [GMT -8:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\EPSONS~1\Event Manager\EEventManager.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\john\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [avast5] "c:\progra~1\alwils~1\avast5\avastUI.exe" /nogui
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [EEventManager] c:\progra~1\epsons~1\event manager\EEventManager.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\9f70j607.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Extension: Last tab close button: last-tab-close-button@victor.sacharin - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\last-tab-close-button@victor.sacharin
FF - Extension: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Extension: CheckPlaces: checkplaces@andyhalford.com - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\checkplaces@andyhalford.com
FF - Extension: Split Browser: {29c4afe1-db19-4298-8785-fcc94d1d6c1d} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{29c4afe1-db19-4298-8785-fcc94d1d6c1d}
FF - Extension: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Extension: Open link in...: {ff81e780-5cc0-11d9-9669-0800200c9a66} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{ff81e780-5cc0-11d9-9669-0800200c9a66}
FF - Extension: KwiClick: vinceturk@gmail.com - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\vinceturk@gmail.com
FF - Extension: Context Search: {902D2C4A-457A-4EF9-AD43-7014562929FF} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{902D2C4A-457A-4EF9-AD43-7014562929FF}
FF - Extension: Tabberwocky: tabberwocky@studio17.wordpress.com - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\tabberwocky@studio17.wordpress.com
FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Extension: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Extension: Close n forget: closeforget@addons.mozilla.org - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\closeforget@addons.mozilla.org
FF - Extension: KeyScrambler: keyscrambler@qfx.software.corporation - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\keyscrambler@qfx.software.corporation
FF - Extension: pdfit: service@touchpdf.com - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\service@touchpdf.com
FF - Extension: IE View Lite: {FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3}
FF - Extension: Save Image in Folder: {5e594888-3e8e-47da-b2c6-b0b545112f84} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{5e594888-3e8e-47da-b2c6-b0b545112f84}
FF - Extension: Screen Capture Elite: screencaptureelite@plugin - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\screencaptureelite@plugin
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\john\applic~1\mozilla\firefox\profiles\9f70j607.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.blink_allowed - true
FF - user.js: nglayout.initialpaint.delay - 50
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - true

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-1 165584]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-1 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-1 40384]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-27 10448]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-12-8 5241448]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-1 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-1 40384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-2-23 36608]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-3-14 114952]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-2-23 47616]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-10-17 124648]
S1 RapportKELL;RapportKELL;\??\c:\program files\trusteer\rapport\bin\rapportkell.sys --> c:\program files\trusteer\rapport\bin\RapportKELL.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2010-3-16 406016]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SDTHelper;Helper driver for SDT-Tool;\??\c:\documents and settings\john\desktop\radix_installer\sdthlpr.sys --> c:\documents and settings\john\desktop\radix_installer\sdthlpr.sys [?]
S4 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]

=============== Created Last 30 ================

2010-12-07 05:37:54 -------- d-----w- c:\program files\ESET
2010-12-07 04:16:59 -------- d-sha-r- C:\cmdcons
2010-12-07 02:48:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 02:48:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 02:16:52 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-12-06 03:54:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\ReviverSoft
2010-12-06 03:54:03 -------- d-----w- c:\docume~1\john\locals~1\applic~1\OpenCandy
2010-12-06 03:54:01 -------- d-----w- c:\docume~1\john\applic~1\OpenCandy
2010-12-06 03:50:12 -------- d-----w- c:\program files\FileASSASSIN
2010-12-01 02:40:17 -------- d-----w- c:\program files\MaxView
2010-11-29 21:19:54 94208 ----a-w- c:\windows\system32\msstkprp.dll
2010-11-29 21:19:54 608448 ----a-w- c:\windows\system32\comctl32.ocx
2010-11-29 21:19:54 140488 ----a-w- c:\windows\system32\comdlg32.ocx
2010-11-29 21:18:34 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-11-29 21:18:34 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2010-11-29 21:18:30 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-11-29 21:18:02 -------- d-----w- c:\windows\Logs
2010-11-29 21:16:23 -------- d-----w- c:\program files\common files\Akamai
2010-11-29 04:22:53 -------- d-----w- c:\program files\gs
2010-11-27 07:59:15 474892 ----a-w- c:\windows\system32\ensppmon.dll
2010-11-27 07:59:15 474892 ----a-w- c:\windows\system32\enppmon.dll
2010-11-27 07:59:15 457611 ----a-w- c:\windows\system32\ensppui.dll
2010-11-27 07:59:15 457611 ----a-w- c:\windows\system32\enppui.dll
2010-11-27 07:59:15 249344 ----a-w- c:\windows\system32\enspres.dll
2010-11-27 07:59:15 249344 ----a-w- c:\windows\system32\enpres.dll
2010-11-27 07:59:15 -------- d-----w- c:\program files\EpsonNet
2010-11-27 07:56:03 9216 ----a-w- c:\windows\system32\escdev.dll
2010-11-27 07:56:03 342016 ----a-w- c:\windows\system32\eswiaud.dll
2010-11-24 23:58:33 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-11-24 23:58:33 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-11-24 04:53:07 3739648 ----a-w- c:\docume~1\john\applic~1\microsoft\addins\SwiftXL9.dll
2010-11-24 04:53:04 -------- d-----w- c:\program files\PlanSwift9
2010-11-24 02:35:26 77824 ----a-w- c:\windows\system32\EBAPI.dll
2010-11-24 02:35:26 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2010-11-24 02:35:26 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2010-11-24 02:35:26 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2010-11-24 02:35:26 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2010-11-07 19:35:16 -------- d-----w- C:\OCS Documents
2010-11-07 19:35:15 -------- d-----w- c:\program files\On-Screen Takeoff 3
2010-11-07 19:35:15 -------- d-----w- c:\program files\common files\On Center Software
2010-11-07 19:35:15 -------- d-----w- c:\program files\common files\Crystal Decisions

==================== Find3M ====================

2010-09-18 19:23:26 974848 -c--a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 -c--a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 -c--a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 -c--a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50:37 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 -c----w- c:\windows\system32\inetcpl.cpl

============= FINISH: 22:52:11.52 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:20 AM

Posted 14 December 2010 - 09:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:20 AM

Posted 19 December 2010 - 07:28 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users