Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Suspicious.MH690 and possible Trojan.ByteVerify infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 mechatronic

mechatronic

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 January 2011 - 03:07 PM

Hello, so far everyday Symantec Endpoint Protection (SEP) picks up a "Risk" titled "Suspicious.MH690" and quarantines it. The number of files quarantined increases each day (see attached SEP_Risk_Log.txt). I originally had an issue of Trojan.ByteVerify being found in the Java cache. SEP cleaned it and I uninstalled Java to make sure because I thought that the update might have been fake and Java having that vulnerability that I heard about. A day before, I downloaded RADtools.exe from the official site (hxxp://www.radgametools.com/bnkmain.htm) which installs a player to watch Bink video (.bik files). SEP categorized "smack.exe" (a file installed with the Bink video view) as "Suspicious.MH690" which I found to mean that it looks suspicious but could possibly be OK. In the past few days the only file type that is being flagged has the extension ".tmp". Either way, I don't know what's causing this to happen and I don't feel comfortable that it keeps getting detected. Any help would be appreciated. Thank you.

*I have scanned using: SEP, Spyware Search & Destroy, Ad-Aware, SUPER AntiSpyware, MalwareBytes Anti-Malware, Windows Defender
**No GMER log since I have Windows 7 64-bit.

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Mechatronic at 11:29:22.86 on Sat 01/15/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.2192 [GMT -8:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
D:\Additional Programs\Internet\Super AntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifierService.exe
C:\Windows\system32\AESTSr64.exe
C:\Windows\system32\dlbccoms.exe
C:\Windows\SysWOW64\rpcnet.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\STacSV64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
D:\Additional Programs\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray64.exe
D:\Security\Spybot - Search & Destroy\SDWinSec.exe
D:\Security\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Mechatronic\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
D:\Additional Programs\Internet\Super AntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Windows\OEM02Mon.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
D:\Additional Programs\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
D:\Additional Programs\Internet\Mozilla Firefox\firefox.exe
D:\ADDITI~1\Internet\FREEDO~1\fdm.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
E:\Users\Mechatronic\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uWindow Title =
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - D:\Security\SPYBOT~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - D:\MICROS~1\Office14\URLREDIR.DLL
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - D:\Additional Programs\Internet\Free Download Manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Additional Programs\Java\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] D:\Security\Spybot - Search & Destroy\TeaTimer.exe
uRun: [SansaDispatch] C:\Users\Mechatronic\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
uRun: [SUPERAntiSpyware] D:\Additional Programs\Internet\Super AntiSpyware\SUPERAntiSpyware.exe
mRun: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Absolute Notifier] "C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe"
StartupFolder: C:\Users\MECHAT~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QuickSet.lnk - D:\Additional Programs\Dell\QuickSet\quickset.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all with Free Download Manager - file://D:\Additional Programs\Internet\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://D:\Additional Programs\Internet\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://D:\Additional Programs\Internet\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://D:\Additional Programs\Internet\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - D:\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - D:\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - D:\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - D:\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - D:\Security\SPYBOT~1\SDHelper.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
mRun-x64: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
mRun-x64: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
mRun-x64: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray64.exe
mRun-x64: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\MECHAT~1\AppData\Roaming\Mozilla\Firefox\Profiles\nqcwar1k.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy

%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
FF - component: D:\Additional Programs\Internet\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: C:\Program Files (x86)\OnLive\FirefoxPlugin\npolgdet.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: D:\Additional Programs\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: D:\Additional Programs\Internet\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: D:\Additional Programs\Java\bin\new_plugin\npdeployJava1.dll
FF - plugin: D:\Additional Programs\Software\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll
FF - plugin: D:\Additional Programs\Video\QuickTime\Plugins\npqtplugin.dll
FF - plugin: D:\Additional Programs\Video\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: D:\Additional Programs\Video\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: D:\Additional Programs\Video\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: D:\Additional Programs\Video\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: D:\Additional Programs\Video\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: D:\Additional Programs\Video\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: D:\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: D:\MICROS~1\Office14\NPSPWRAP.DLL
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - D:\Additional Programs\Internet\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - D:\Additional Programs\Internet\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - D:\Additional Programs\Internet\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2010-6-20 69152]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-6-22 53488]
R1 SASDIFSV;SASDIFSV;D:\Additional Programs\Internet\Super AntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;D:\Additional Programs\Internet\Super AntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;D:\Additional Programs\Internet\Super AntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 AbsoluteNotifier;Absolute Notifier;C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifierService.exe [2010-10-8 10408]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\AESTSr64.exe [2010-6-21 86016]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2010-12-28 21992]
R2 dlbc_device;dlbc_device;C:\Windows\system32\dlbccoms.exe -service --> C:\Windows\system32\dlbccoms.exe -service [?]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-7-12 1402272]
R2 SBSDWSCService;SBSD Security Center Service;D:\Security\Spybot - Search & Destroy\SDWinSec.exe [2010-6-20 1153368]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2010-5-25 1831024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-6-20 132656]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-8-12 17440]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 physX64;physX64;C:\Windows\System32\drivers\physX64.sys [2008-2-29 148768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;D:\Additional Programs\Software\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [2010-10-24 93336]
S3 StMp3Recx64;Player Recovery Device Control Driver;C:\Windows\System32\drivers\StMp3Recx64.sys [2007-1-12 26112]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-21 1255736]

=============== Created Last 30 ================

2011-01-14 20:29:08 -------- d-----w- C:\Users\MECHAT~1\AppData\Roaming\Malwarebytes
2011-01-14 20:29:00 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-14 20:28:59 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-14 20:28:55 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-14 18:22:40 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{8BF0B60D-E052-450C-99DE-0CDCE90D74A4}\mpengine.dll
2011-01-14 02:21:10 -------- d-----w- C:\Users\MECHAT~1\AppData\Roaming\SUPERAntiSpyware.com
2011-01-14 02:21:10 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2011-01-14 02:21:03 -------- d-----w- C:\PROGRA~3\!SASCORE
2011-01-08 05:21:13 -------- d-----w- C:\Users\MECHAT~1\AppData\Roaming\AnvSoft
2011-01-08 02:11:17 10368 ----a-w- C:\Windows\SysWow64\iviaspi.sys
2011-01-08 02:09:12 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll
2011-01-08 02:09:11 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2011-01-08 02:09:11 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2011-01-08 02:09:11 212992 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
2011-01-08 02:09:11 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2011-01-02 18:24:48 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2010-12-28 18:24:15 21992 ----a-w- C:\Windows\System32\drivers\cpuz135_x64.sys
2010-12-27 21:57:40 -------- d-----w- C:\Users\MECHAT~1\AppData\Roaming\SanDisk
2010-12-25 17:16:58 -------- d-----w- C:\PROGRA~3\Media Center Programs
2010-12-25 17:16:53 -------- d-----w- C:\Program Files (x86)\Common Files\BioWare
2010-12-17 04:45:55 -------- d-----w- C:\Users\MECHAT~1\AppData\Roaming\RIFT

==================== Find3M ====================

2011-01-15 18:35:38 17408 ----a-w- C:\Windows\System32\rpcnetp.exe
2011-01-15 18:35:35 57752 ----a-w- C:\Windows\SysWow64\rpcnet.dll
2011-01-14 07:07:35 17408 ----a-w- C:\Windows\SysWow64\rpcnetp.dll
2011-01-14 07:07:03 17408 ----a-w- C:\Windows\SysWow64\rpcnetp.exe
2011-01-12 21:54:39 15880 ----a-w- C:\Windows\System32\lsdelete.exe
2010-11-13 02:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-04 03:46:42 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2010-11-02 19:50:56 29184 ----a-w- C:\Windows\SysWow64\CtLoJack.dll
2010-11-02 05:21:51 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2010-11-02 05:18:59 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2010-11-02 05:18:59 229888 ----a-w- C:\Windows\System32\XpsRasterService.dll
2010-11-02 05:18:58 470016 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:12:53 1133568 ----a-w- C:\Windows\System32\FntCache.dll
2010-11-02 05:12:25 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2010-11-02 05:12:08 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll
2010-11-02 05:12:07 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2010-11-02 05:12:06 902656 ----a-w- C:\Windows\System32\d2d1.dll
2010-11-02 05:12:06 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:59:08 144384 ----a-w- C:\Windows\System32\cdd.dll
2010-11-02 04:41:36 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2010-11-02 04:41:36 283648 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2010-11-02 04:41:36 135168 ----a-w- C:\Windows\SysWow64\XpsRasterService.dll
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:35:51 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2010-11-02 04:35:35 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2010-11-02 04:35:34 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2010-11-02 04:35:34 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2010-11-02 04:35:34 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-11-02 02:50:58 258048 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-25 01:12:55 2267 ----a-w- C:\PROGRA~3\xmlB710.tmp
2010-10-25 01:12:54 13687 ----a-w- C:\PROGRA~3\xmlB4CE.tmp
2010-10-25 01:12:53 5898 ----a-w- C:\PROGRA~3\xml9961.tmp
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

============= FINISH: 11:30:06.24 ===============

Attached Files


Edited by Orange Blossom, 15 January 2011 - 08:26 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:26 PM

Posted 20 January 2011 - 10:42 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 mechatronic

mechatronic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 January 2011 - 10:41 PM

Thanks for the reply. I was starting to think that I was forgotten. I did everything in your reply in my first post and Symantec is acting on similar risks as I type this. *I have 64-bit Windows so GMER won't work as stated by the instructions.

*looks like Symantec acts on the risk only when I'm connected to the internet. In the 'E:\Windows temp' directory that I mentioned, I am able to see the infected '.tmp' file before Symantec detects it as a risk. It pops in and then Symantec immediately quarantines it. Note: my 'E' drive is the 3rd partition of my single hard drive.

#4 mechatronic

mechatronic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 January 2011 - 06:23 PM

I’ve done a few things since yesterday:
1) Verified that Symantec only finds and quarantines these “Suspicious.M690” (.tmp) files ONLY when I am connected to the internet. I suspect something is trying to connect to my computer.
2) I updated my ‘SEP_Risk_Log.txt’ so that the first section is titled “RISK LOG” and the second section is titled “QUARANTINE LOG.” (Ctrl + F to easily find the section)
3) I ran GMER even though I have Windows 7 (64-bit). Note: I was only able to check, “Services, Registry, Files, and ADS.” See attached ‘ark.txt’ file.
4) Symantec has detected more than 1000 files that are classified as ‘Suspicious.MH690’ (all with extension ‘.tmp). Each time I connect to the internet it seems to find more.
5) At one point Symantec said it blocked an IP address, 91.204.48.52 and gave me this message in a pop-up up window/bubble: [SID: 24065] Phoenix Toolkit Activity 3 detected.

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 PM

Posted 22 January 2011 - 07:01 AM

Hi mechatronic,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Thanks to your detailed feedback we can take a close look at the problem. As you may notice:

  • MH690 is the Heuristic scan of SEP. So it detect on the basis of behavior and not signatures. The method is not solid detection and is not dependable.
  • There is an article that DWHxxx.tmp files are both created and detected by SEP. It is a bug they have explained, made a patch for it and provided a workaround for it here:
    DWHxxx.tmp file is created and detected by Auto-Protect

    Please read it and apply the workaround.
  • The GMER shows SPTD (Daemon tools/Alcohol 120) driver. It might be just an orphan entry, but it triggers an error at startup. Are you currently using these CD emulator software?
  • DDS lists Lavasoft Ad-Watch (Ad-aware) as an antivirus. If it is the antivirus version of the software I recommend you to uninstall it has having two antivirus programs causes complications. Even the anti-adware of this software is not what it once used to be.

We can check a few things to make sure the system is clean.

#6 mechatronic

mechatronic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 22 January 2011 - 05:31 PM

Thank you very much for the reply. I greatly appreciate it.

2) I disabled the rescanning of quarantine files (cache) upon receipt of new virus definitions.

3) I uninstalled Daemon tools/Alcohol 120 a while ago.

4) Uninstalled Lavasoft Ad-Watch (Ad-aware). I didn't realize that the version I have contains an anti-virus engine in addition to the anti-adware.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 PM

Posted 22 January 2011 - 08:11 PM

Well done. :thumbup2:

To make sure the system is clean we will run a couple of tools.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Right-click ResetTeaTimer.exe and let it run as administrator.
    Note: The Teatimer should be kept disabled until I give you the clean sign.
  • Please download MBRCheck by clicking here and save it to your desktop.
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
    • A window will open on your desktop.
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter.
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
    • Please post the contents of that file in your next reply.


#8 mechatronic

mechatronic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 24 January 2011 - 01:07 AM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: MXG071
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 209):
0x02C03000 \SystemRoot\system32\ntoskrnl.exe
0x031DF000 \SystemRoot\system32\hal.dll
0x00BCF000 \SystemRoot\system32\kdcom.dll
0x00CEE000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00D32000 \SystemRoot\system32\PSHED.dll
0x00D46000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00E72000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F16000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x01054000 \SystemRoot\System32\Drivers\spoc.sys
0x0117B000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x01184000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x00F25000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x011B3000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x011BD000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x011CA000 \SystemRoot\system32\DRIVERS\pci.sys
0x01000000 \SystemRoot\System32\drivers\partmgr.sys
0x01015000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x0101E000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x0102A000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00F7C000 \SystemRoot\System32\drivers\volmgrx.sys
0x0103F000 \SystemRoot\system32\DRIVERS\intelide.sys
0x00FD8000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x00E00000 \SystemRoot\System32\drivers\mountmgr.sys
0x01047000 \SystemRoot\system32\DRIVERS\atapi.sys
0x00E1A000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x00E44000 \SystemRoot\system32\DRIVERS\msahci.sys
0x00E4F000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x00DA4000 \SystemRoot\system32\drivers\fltmgr.sys
0x00E5A000 \SystemRoot\system32\drivers\fileinfo.sys
0x00FE8000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01246000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0146F000 \SystemRoot\System32\Drivers\msrpc.sys
0x014CD000 \SystemRoot\System32\Drivers\ksecdd.sys
0x014E7000 \SystemRoot\System32\Drivers\cng.sys
0x0155A000 \SystemRoot\System32\drivers\pcw.sys
0x0156B000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x016BF000 \SystemRoot\system32\drivers\ndis.sys
0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01801000 \SystemRoot\System32\drivers\tcpip.sys
0x017B1000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01575000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x0168B000 \SystemRoot\System32\Drivers\spldr.sys
0x015C1000 \SystemRoot\System32\drivers\rdyboost.sys
0x01693000 \SystemRoot\System32\Drivers\mup.sys
0x016A5000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01400000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0143A000 \SystemRoot\system32\DRIVERS\disk.sys
0x01200000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x00CC0000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02C85000 \SystemRoot\System32\Drivers\SRTSP64.SYS
0x03A19000 \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20110123.003\EX64.SYS
0x02CFA000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x03BD3000 \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20110123.003\ENG64.SYS
0x03A00000 \SystemRoot\System32\Drivers\SRTSPX64.SYS
0x03BF3000 \SystemRoot\System32\Drivers\Null.SYS
0x02D30000 \SystemRoot\System32\Drivers\Beep.SYS
0x02D37000 \SystemRoot\System32\drivers\vga.sys
0x02D45000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02D6A000 \SystemRoot\System32\drivers\watchdog.sys
0x02D7A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02D83000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02D8C000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02D95000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02DA0000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02DB1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02DCF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02DDC000 \??\C:\Windows\system32\drivers\wpsdrvnt.sys
0x03CDA000 \SystemRoot\system32\drivers\afd.sys
0x03D64000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03DA9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03DB2000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03DD8000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x03DEE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03C00000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03C1B000 \SystemRoot\system32\DRIVERS\termdd.sys
0x03C2F000 \??\D:\Additional Programs\Internet\Super AntiSpyware\SASKUTIL64.SYS
0x03C39000 \??\D:\Additional Programs\Internet\Super AntiSpyware\SASDIFSV64.SYS
0x03C43000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03C94000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03CA0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02C00000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x03CAB000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x02C76000 \SystemRoot\System32\drivers\discache.sys
0x03E01000 \SystemRoot\System32\Drivers\dfsc.sys
0x03E1F000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03E30000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03E56000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0FE12000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x10AA4000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x10AA6000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x10B9A000 \SystemRoot\System32\drivers\dxgmms1.sys
0x10BE0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x03E6C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x10BED000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03EC2000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04064000 \SystemRoot\system32\DRIVERS\bcmwl664.sys
0x0430C000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x04319000 \SystemRoot\system32\DRIVERS\physX64.sys
0x04341000 \SystemRoot\system32\DRIVERS\b57nd60a.sys
0x04389000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x043C7000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x043E7000 \SystemRoot\system32\DRIVERS\rimmpx64.sys
0x04000000 \SystemRoot\system32\DRIVERS\rimspx64.sys
0x03EE6000 \SystemRoot\system32\DRIVERS\rixdpx64.sys
0x04017000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x04035000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04044000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x04053000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x04058000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x0FE00000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x03F3D000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03F53000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x03F77000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03F83000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03FB2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x03FCD000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04824000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0483E000 \SystemRoot\system32\DRIVERS\teefer2.sys
0x04864000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04866000 \SystemRoot\system32\DRIVERS\ks.sys
0x048A9000 \SystemRoot\system32\DRIVERS\umbus.sys
0x048BB000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04915000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x0492A000 \SystemRoot\system32\drivers\stwrt64.sys
0x0498E000 \SystemRoot\system32\drivers\portcls.sys
0x049CB000 \SystemRoot\system32\drivers\drmk.sys
0x049ED000 \SystemRoot\system32\drivers\ksthunk.sys
0x00030000 \SystemRoot\System32\win32k.sys
0x049F3000 \SystemRoot\System32\drivers\Dxapi.sys
0x04800000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x01450000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x0480E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x04817000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03FEE000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02DEF000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x04819000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x013E9000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x07AFC000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x07B19000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x07B26000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x07B68000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x07B71000 \SystemRoot\system32\DRIVERS\monitor.sys
0x004D0000 \SystemRoot\System32\TSDDD.dll
0x007A0000 \SystemRoot\System32\cdd.dll
0x00870000 \SystemRoot\System32\ATMFD.DLL
0x07B7F000 \SystemRoot\system32\drivers\luafv.sys
0x07BA2000 \SystemRoot\system32\drivers\WudfPf.sys
0x07BC3000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x07A00000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x07A53000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x07A66000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x09E19000 \SystemRoot\system32\drivers\HTTP.sys
0x09EE1000 \SystemRoot\system32\DRIVERS\bowser.sys
0x09EFF000 \SystemRoot\System32\drivers\mpsdrv.sys
0x09F17000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x09F44000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x09F92000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x09FB5000 \??\C:\Windows\system32\drivers\cpuz135_x64.sys
0x0A688000 \SystemRoot\system32\drivers\peauth.sys
0x0A72E000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0A739000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x0A766000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0A778000 \??\C:\Windows\system32\drivers\WpsHelper.sys
0x0A600000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0C881000 \SystemRoot\System32\DRIVERS\srv.sys
0x0C917000 \SystemRoot\system32\drivers\spsys.sys
0x0C988000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x76F40000 \Windows\System32\ntdll.dll
0x481D0000 \Windows\System32\smss.exe
0xFF260000 \Windows\System32\apisetschema.dll
0xFF460000 \Windows\System32\autochk.exe
0xFF200000 \Windows\System32\Wldap32.dll
0xFF1D0000 \Windows\System32\imm32.dll
0xFE440000 \Windows\System32\shell32.dll
0xFE420000 \Windows\System32\imagehlp.dll
0xFE340000 \Windows\System32\advapi32.dll
0xFE2A0000 \Windows\System32\msvcrt.dll
0xFE1C0000 \Windows\System32\oleaut32.dll
0xFDFB0000 \Windows\System32\ole32.dll
0x76E40000 \Windows\System32\user32.dll
0xFDE80000 \Windows\System32\wininet.dll
0xFDDE0000 \Windows\System32\comdlg32.dll
0xFDDD0000 \Windows\System32\lpk.dll
0xFDC50000 \Windows\System32\urlmon.dll
0xFDB20000 \Windows\System32\rpcrt4.dll
0xFDA50000 \Windows\System32\usp10.dll
0xFD7F0000 \Windows\System32\iertutil.dll
0xFD7E0000 \Windows\System32\nsi.dll
0xFD7C0000 \Windows\System32\sechost.dll
0xFD770000 \Windows\System32\ws2_32.dll
0x76D20000 \Windows\System32\kernel32.dll
0xFD660000 \Windows\System32\msctf.dll
0xFD5E0000 \Windows\System32\shlwapi.dll
0xFD560000 \Windows\System32\difxapi.dll
0x77110000 \Windows\System32\psapi.dll
0x77100000 \Windows\System32\normaliz.dll
0xFD380000 \Windows\System32\setupapi.dll
0xFD2E0000 \Windows\System32\clbcatq.dll
0xFD270000 \Windows\System32\gdi32.dll
0xFD200000 \Windows\System32\KernelBase.dll
0xFD160000 \Windows\System32\comctl32.dll
0xFCFF0000 \Windows\System32\crypt32.dll
0xFCFB0000 \Windows\System32\wintrust.dll
0xFCF90000 \Windows\System32\devobj.dll
0xFCF50000 \Windows\System32\cfgmgr32.dll
0xFCF40000 \Windows\System32\msasn1.dll
0x76B20000 \Windows\SysWOW64\normaliz.dll

Processes (total 73):
0 System Idle Process
4 System
288 C:\Windows\System32\smss.exe
412 csrss.exe
480 C:\Windows\System32\wininit.exe
496 csrss.exe
536 C:\Windows\System32\services.exe
552 C:\Windows\System32\lsass.exe
560 C:\Windows\System32\lsm.exe
656 C:\Windows\System32\svchost.exe
720 C:\Windows\System32\nvvsvc.exe
760 C:\Windows\System32\svchost.exe
820 C:\Windows\System32\svchost.exe
856 C:\Windows\System32\svchost.exe
884 C:\Windows\System32\svchost.exe
972 C:\Windows\System32\audiodg.exe
112 C:\Windows\System32\winlogon.exe
324 C:\Windows\System32\svchost.exe
628 C:\Program Files\Dell\DellDock\DockLogin.exe
416 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
1052 C:\Windows\System32\nvvsvc.exe
1136 C:\Windows\System32\svchost.exe
1212 C:\Windows\System32\wlanext.exe
1228 C:\Windows\System32\conhost.exe
1264 C:\Windows\System32\WLTRYSVC.EXE
1304 C:\Windows\System32\BCMWLTRY.EXE
1312 C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
1512 C:\Windows\System32\spoolsv.exe
1540 C:\Windows\System32\svchost.exe
1664 D:\Additional Programs\Internet\Super AntiSpyware\SASCore64.exe
1684 C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifierService.exe
1880 C:\Windows\System32\taskhost.exe
1972 C:\Windows\System32\dwm.exe
2000 C:\Windows\explorer.exe
1188 C:\Windows\System32\AESTSr64.exe
1592 C:\Windows\System32\dlbccoms.exe
2080 C:\Windows\SysWOW64\rpcnet.exe
2148 C:\Windows\System32\stacsv64.exe
2204 C:\Windows\System32\svchost.exe
2280 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
2320 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2512 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2608 D:\Additional Programs\Dell\QuickSet\NicConfigSvc.exe
2812 WmiPrvSE.exe
3024 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
3040 D:\Security\Spybot - Search & Destroy\SDWinSec.exe
1236 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
3224 C:\Windows\System32\svchost.exe
3744 C:\Windows\System32\svchost.exe
3912 C:\Windows\System32\WLTRAY.EXE
3920 C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
3936 C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray64.exe
3952 C:\Users\Mechatronic\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
3964 D:\Additional Programs\Internet\Super AntiSpyware\SUPERANTISPYWARE.EXE
4020 C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
4036 C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
4080 C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
3288 C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
476 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
1028 D:\Additional Programs\Dell\QuickSet\quickset.exe
332 C:\Program Files\Dell\DellDock\DellDock.exe
1488 C:\Program Files\Windows Media Player\wmpnetwk.exe
3620 C:\Windows\OEM02Mon.exe
3608 C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
732 C:\Program Files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe
4784 C:\Windows\System32\sppsvc.exe
4820 C:\Windows\System32\svchost.exe
4204 D:\Additional Programs\Internet\Mozilla Firefox\firefox.exe
2496 D:\Additional Programs\Internet\Mozilla Firefox\plugin-container.exe
1472 WmiPrvSE.exe
4676 C:\Users\Mechatronic\Desktop\MBRCheck.exe
5028 C:\Windows\System32\conhost.exe
708 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000a`fc900000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000002f`1e900000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM251JJ, Rev: 2AA00_00

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 PM

Posted 24 January 2011 - 01:50 AM

That one looks good. Are noticing anything unusual needing attention.?

#10 mechatronic

mechatronic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 24 January 2011 - 02:33 PM

So far nothing unusual.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 PM

Posted 24 January 2011 - 05:05 PM

I thought so. This is a x64 bit system and only I needed the MBRCheck to make sure. You had already run many tools and scanners except a MBRcheck.

So it looks pretty good. If you want we can wait another day to see how SEP behaves.

#12 mechatronic

mechatronic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 24 January 2011 - 05:21 PM

Waiting a day should be good just in case. So far SEP hasn't popped up with the Suspicious.M690 quarantine - still can't believe that most of this was just the result of a glitch. Either way, I'm glad that you helped point out the glitch and that Ad-Aware is an anti-virus now.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 PM

Posted 25 January 2011 - 06:08 PM

Looks after two days no alarm from SEP and we are done.

If you have no question you are good to go now.:)

#14 mechatronic

mechatronic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 25 January 2011 - 09:16 PM

Excellent! Again, thank you for your help.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 PM

Posted 26 January 2011 - 12:10 PM

You are most welcome. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users