Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dropper Generic3 KRY Trojan -- Help me pls?


  • Please log in to reply
8 replies to this topic

#1 alleecmo

alleecmo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 07 February 2011 - 12:39 AM

Hi. I've lurked here before & found solutions. Not so lucky today. AVG found a Trojan that refuses to leave.
Dropper.Generic3.KRY

OS: Win XP Pro SP3
Browsers: Firefox 3.6.13 (& IE 8 only at gunpoint)
Recent dangerous neighborhoods: Fallout New Vegas Nexus

What's happening:
1) "Generic Host Process for Win32 Services has encountered a problem and needs to close." Wants to send an error report which does nothing. No link for info on this error. nada. happens during AVG scans & Microsoft Malicious Software removal Tool scan.

2) Ran AVG; Keeps finding 2 copies of this Trojan; puts one in the Virus Vault but can't do so with the other one.

3) Ran Malware Bytes 3 times. Got it down to only 1 registry value (from 5) but have LOTS (13 items) in Quarantine.
Rootkit.TDSS
Trojan.Fraudpack (2 copies)
PUM.Bad.Proxy (3)
Hijacker.XMLLookup (2)
Hijacker.intl (2)
Hijacker.Application (2)
Trojan.Agent


4) in FF, clicking on any Google "Dropper.Generic3.KRY" search results takes me to random (fake??) generic "search" pages, including clicking aa link to BleepingComputer. A somewhat amusing result was clicking on a link to an eHow on removing this rat-bastard trojan rerouted me to http://www.healthvideo.com/nexium/?sky=miv|hvn|nexium|gerd|from NBC.
In IE it reroutes me even if I type in the address bar. Even Microsoft.com.

5) Ran HijackThis; not sure what to do with or about what I got.

6) every half-hour or so I get this AVG Alert:
Filename: c:\System Volume Information\_restore{B1DAA8E9-4027-4B25-8CA9-B76587615307}\RP476\A0111310.exe
Threat name: Trojan horse Dropper.Generic3.KRY
detected on open
process name: C:\\WINDOWS\system3MRT.exe

I hope this is enough info to get you started. I also hope you can help. Thank you in advance for any assistance.

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:02 AM

Posted 07 February 2011 - 12:00 PM

Hi alleecmo

every half-hour or so I get this AVG Alert:
Filename: c:\System Volume Information\_restore{B1DAA8E9-4027-4B25-8CA9-B76587615307}\RP476\A0111310.exe
Threat name: Trojan horse Dropper.Generic3.KRY

This relates to an infected restore point.
As long as you don't use system restore for awhile, you'll be ok.

Step 1
Please update MBAM and run another scan:
Start MBAM
Click on the Update tab

Posted Image

Click Check for Updates

Posted Image

If it says that MBAM needs to close to update it... let it close and then restart.
Then click the Scan button.

Don't forget:

  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Step 2
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • Vista/Win7 users should right-click and select Run As Administrator.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next reply.


In your next reply, please submit:
MBAM report
TDSSKiller report



Thanks.

BBPP6nz.png


#3 alleecmo

alleecmo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 08 February 2011 - 02:45 AM

MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5709

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/7/2011 11:43:29 PM
mbam-log-2011-02-07 (23-43-29).txt

Scan type: Full scan (C:\|)
Objects scanned: 263870
Time elapsed: 1 hour(s), 11 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 alleecmo

alleecmo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 08 February 2011 - 03:01 AM

TDSS Killer log:

2011/02/07 23:46:00.0828 4120 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/07 23:46:01.0171 4120 ================================================================================
2011/02/07 23:46:01.0171 4120 SystemInfo:
2011/02/07 23:46:01.0171 4120
2011/02/07 23:46:01.0171 4120 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/07 23:46:01.0171 4120 Product type: Workstation
2011/02/07 23:46:01.0171 4120 ComputerName: GIFTOFLOVE
2011/02/07 23:46:01.0171 4120 UserName: Allee
2011/02/07 23:46:01.0171 4120 Windows directory: C:\WINDOWS
2011/02/07 23:46:01.0171 4120 System windows directory: C:\WINDOWS
2011/02/07 23:46:01.0171 4120 Processor architecture: Intel x86
2011/02/07 23:46:01.0171 4120 Number of processors: 2
2011/02/07 23:46:01.0171 4120 Page size: 0x1000
2011/02/07 23:46:01.0171 4120 Boot type: Normal boot
2011/02/07 23:46:01.0171 4120 ================================================================================
2011/02/07 23:46:01.0453 4120 Initialize success
2011/02/07 23:46:03.0531 5060 ================================================================================
2011/02/07 23:46:03.0531 5060 Scan started
2011/02/07 23:46:03.0531 5060 Mode: Manual;
2011/02/07 23:46:03.0531 5060 ================================================================================
2011/02/07 23:46:08.0140 5060 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/07 23:46:08.0234 5060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/07 23:46:08.0312 5060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/07 23:46:08.0453 5060 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/07 23:46:08.0609 5060 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/02/07 23:46:08.0687 5060 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/02/07 23:46:08.0796 5060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/07 23:46:08.0828 5060 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/07 23:46:09.0031 5060 ati2mtag (662c08fef641d8d6e9dcdb39168895b0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/02/07 23:46:09.0468 5060 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/07 23:46:09.0515 5060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/07 23:46:09.0593 5060 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2011/02/07 23:46:09.0640 5060 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2011/02/07 23:46:09.0687 5060 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
2011/02/07 23:46:09.0812 5060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/07 23:46:09.0906 5060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/07 23:46:09.0937 5060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/07 23:46:10.0000 5060 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/07 23:46:10.0031 5060 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/07 23:46:10.0125 5060 COMMONFX.DLL (55c3b3d0f658c17a65c33dfe9aa6d54a) C:\WINDOWS\system32\COMMONFX.DLL
2011/02/07 23:46:10.0234 5060 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL
2011/02/07 23:46:10.0296 5060 ctac32k (69a0e7f9eebd0f0979dad9cd3dde585c) C:\WINDOWS\system32\drivers\ctac32k.sys
2011/02/07 23:46:10.0343 5060 ctaud2k (71bd994f33013e8e44b95bef8b329f0d) C:\WINDOWS\system32\drivers\ctaud2k.sys
2011/02/07 23:46:10.0421 5060 CTAUDFX.DLL (2285d4df8a019f9b56288100f34627b2) C:\WINDOWS\system32\CTAUDFX.DLL
2011/02/07 23:46:10.0500 5060 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2011/02/07 23:46:10.0546 5060 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL
2011/02/07 23:46:10.0578 5060 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL
2011/02/07 23:46:10.0625 5060 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL
2011/02/07 23:46:10.0671 5060 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL
2011/02/07 23:46:10.0718 5060 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL
2011/02/07 23:46:10.0796 5060 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL
2011/02/07 23:46:10.0890 5060 ctgame (4bb3c27e5fc9e538d1ae41e57cd7bf03) C:\WINDOWS\system32\DRIVERS\ctgame.sys
2011/02/07 23:46:10.0953 5060 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL
2011/02/07 23:46:10.0984 5060 ctprxy2k (7c879881068e9a24f99cfc42cd95104d) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2011/02/07 23:46:11.0046 5060 CTSBLFX.DLL (78f2f5644b6a888af9d4317f37b5a2bf) C:\WINDOWS\system32\CTSBLFX.DLL
2011/02/07 23:46:11.0093 5060 ctsfm2k (4d66ed05c93c31c4168dfcd2dfc79ff1) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2011/02/07 23:46:11.0187 5060 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/07 23:46:11.0265 5060 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/07 23:46:11.0312 5060 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/07 23:46:11.0328 5060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/07 23:46:11.0375 5060 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/07 23:46:11.0437 5060 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/07 23:46:11.0500 5060 emupia (7222d8fb8a47dc01c7e7506ba6510808) C:\WINDOWS\system32\drivers\emupia2k.sys
2011/02/07 23:46:11.0562 5060 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/07 23:46:11.0593 5060 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/07 23:46:11.0625 5060 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/07 23:46:11.0640 5060 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/07 23:46:11.0687 5060 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/07 23:46:11.0718 5060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/07 23:46:11.0734 5060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/07 23:46:11.0765 5060 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/02/07 23:46:11.0796 5060 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/07 23:46:11.0859 5060 ha10kx2k (1ffee28967c17c599b9e58da4a14f957) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2011/02/07 23:46:11.0921 5060 hap16v2k (518c9a47bf999b5cb7e3b87fbd8b54b2) C:\WINDOWS\system32\drivers\hap16v2k.sys
2011/02/07 23:46:11.0953 5060 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys
2011/02/07 23:46:12.0015 5060 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/07 23:46:12.0046 5060 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/07 23:46:12.0140 5060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/07 23:46:12.0218 5060 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/07 23:46:12.0281 5060 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/07 23:46:12.0359 5060 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/07 23:46:12.0406 5060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/07 23:46:12.0421 5060 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/07 23:46:12.0437 5060 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/07 23:46:12.0468 5060 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/07 23:46:12.0500 5060 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/07 23:46:12.0531 5060 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/07 23:46:12.0562 5060 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/07 23:46:12.0593 5060 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/07 23:46:12.0625 5060 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/07 23:46:12.0671 5060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/07 23:46:12.0750 5060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/07 23:46:12.0781 5060 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/07 23:46:12.0859 5060 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
2011/02/07 23:46:12.0921 5060 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/07 23:46:12.0984 5060 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/07 23:46:13.0000 5060 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/07 23:46:13.0046 5060 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/07 23:46:13.0093 5060 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/07 23:46:13.0125 5060 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/07 23:46:13.0171 5060 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/07 23:46:13.0187 5060 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/07 23:46:13.0203 5060 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/07 23:46:13.0250 5060 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/07 23:46:13.0312 5060 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/02/07 23:46:13.0328 5060 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/07 23:46:13.0359 5060 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/07 23:46:13.0375 5060 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/07 23:46:13.0406 5060 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/07 23:46:13.0421 5060 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/07 23:46:13.0453 5060 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/07 23:46:13.0468 5060 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/07 23:46:13.0500 5060 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/07 23:46:13.0546 5060 NetworkX (e9d83e22f8b144129a9ad604fce06f36) C:\WINDOWS\system32\ckldrv.sys
2011/02/07 23:46:13.0578 5060 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/02/07 23:46:13.0609 5060 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/07 23:46:13.0656 5060 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/07 23:46:13.0687 5060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/07 23:46:13.0734 5060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/07 23:46:13.0750 5060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/07 23:46:13.0765 5060 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/02/07 23:46:13.0812 5060 ossrv (83bf51d7e6569877251d34edc7bb99cb) C:\WINDOWS\system32\drivers\ctoss2k.sys
2011/02/07 23:46:13.0843 5060 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/07 23:46:13.0859 5060 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/07 23:46:13.0906 5060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/07 23:46:13.0921 5060 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/07 23:46:13.0984 5060 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/07 23:46:14.0000 5060 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/07 23:46:14.0171 5060 PfModNT (5c125deac835c9927f7ab3e8a270fde7) C:\WINDOWS\system32\PfModNT.sys
2011/02/07 23:46:14.0203 5060 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/07 23:46:14.0218 5060 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/02/07 23:46:14.0250 5060 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/07 23:46:14.0281 5060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/07 23:46:14.0406 5060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/07 23:46:14.0437 5060 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/07 23:46:14.0453 5060 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/07 23:46:14.0468 5060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/07 23:46:14.0515 5060 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/07 23:46:14.0531 5060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/07 23:46:14.0546 5060 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/07 23:46:14.0593 5060 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/07 23:46:14.0640 5060 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/07 23:46:14.0718 5060 RTLE8023xp (185641ad7e80bfce0aa545d3ec79d557) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/02/07 23:46:14.0765 5060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/07 23:46:14.0812 5060 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/07 23:46:14.0843 5060 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/07 23:46:14.0890 5060 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/07 23:46:14.0953 5060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/07 23:46:14.0984 5060 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/07 23:46:15.0031 5060 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/07 23:46:15.0078 5060 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/07 23:46:15.0093 5060 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/07 23:46:15.0234 5060 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/07 23:46:15.0343 5060 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/07 23:46:15.0390 5060 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/07 23:46:15.0421 5060 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/07 23:46:15.0468 5060 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/07 23:46:15.0562 5060 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/07 23:46:15.0625 5060 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/07 23:46:15.0703 5060 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/02/07 23:46:15.0750 5060 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/02/07 23:46:15.0781 5060 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/07 23:46:15.0796 5060 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/07 23:46:15.0828 5060 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/02/07 23:46:15.0859 5060 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/07 23:46:15.0906 5060 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/07 23:46:15.0921 5060 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/07 23:46:15.0953 5060 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/07 23:46:16.0015 5060 VIAHdAudAddService (a4c6422857e12a1b5a70cd96305860d5) C:\WINDOWS\system32\drivers\viahduaa.sys
2011/02/07 23:46:16.0093 5060 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/07 23:46:16.0125 5060 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/07 23:46:16.0171 5060 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/02/07 23:46:16.0234 5060 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/07 23:46:16.0312 5060 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/02/07 23:46:16.0375 5060 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/02/07 23:46:16.0453 5060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/07 23:46:16.0484 5060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/07 23:46:16.0546 5060 xusb21 (09e5340bd9b2cb730bf4dc6be7721291) C:\WINDOWS\system32\DRIVERS\xusb21.sys
2011/02/07 23:46:16.0578 5060 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/07 23:46:16.0578 5060 ================================================================================
2011/02/07 23:46:16.0578 5060 Scan finished
2011/02/07 23:46:16.0578 5060 ================================================================================
2011/02/07 23:46:16.0593 5116 Detected object count: 1
2011/02/07 23:46:33.0578 5116 \HardDisk0 - will be cured after reboot
2011/02/07 23:46:33.0578 5116 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/07 23:47:58.0859 3492 Deinitialize success

#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:02 AM

Posted 08 February 2011 - 07:40 AM

Hi alleecmo

2011/02/07 23:46:16.0593 5116 Detected object count: 1
2011/02/07 23:46:33.0578 5116 \HardDisk0 - will be cured after reboot
2011/02/07 23:46:33.0578 5116 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/07 23:47:58.0859 3492 Deinitialize success

That should have helped.

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the Posted Image button.
  • Click Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

In your next reply, please submit:
Eset scan report
and let me know how the system is running now.


Thanks.

BBPP6nz.png


#6 alleecmo

alleecmo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 February 2011 - 04:59 AM

I ran MBAM again first, since the AVG Resident Shield kept popping up with kaka. MBAM found one:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5718

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/9/2011 1:53:15 AM
mbam-log-2011-02-09 (01-53-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 138691
Time elapsed: 1 hour(s), 29 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\781PH9PF\sd[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Then I ran ESET (which looks really fab btw... especially next to AVG) It found FOUR!!

C:\Documents and Settings\Allee\Local Settings\Temp\npsEFD.tmp probably a variant of Win32/Agent.CCXOUFR trojan cleaned by deleting - quarantined
C:\Documents and Settings\Allee\Local Settings\Temporary Internet Files\Content.IE5\RI424T3U\tupidqg[1].pdf PDF/Exploit.Gen trojan cleaned by deleting - quarantined
C:\Documents and Settings\Allee\My Documents\downloads\registrybooster.exe Win32/RegistryBooster application deleted - quarantined
C:\WINDOWS\Temp\60.tmp a variant of Win32/Olmarik.ANI trojan cleaned by deleting - quarantined

Rebooting & rerunning after this post. Will repost new vitals in the morning. Thanks again for your time. Hoping to avoid a complete reinstall.

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:02 AM

Posted 09 February 2011 - 05:43 AM

Hi alleecmo

It looks like your temp files need a good clean out.

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Let me know how things are after running TFC.

Thanks

BBPP6nz.png


#8 alleecmo

alleecmo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 February 2011 - 06:19 PM

TFC took out a LOT of trash!!
I have saved that, TDSSKiller, MBAM, & ESET in my <SANITATION_DEPT> folder & will run them all regularly from now on!!

Ran ESET twice more:
# found=0
# cleaned=0
both times :-D

Looks like a clean bill of health from MBAM too:
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Also, noticed the kaka seemed to always be in <C:\Documents and Settings\NetworkService...>
so I rescanned specifics.

Boo-Hiss! Unclean! Unclean!

"Scan ""Scan specific files or folders"" completed."
"Infections";"1";"1";"0"
"Folders selected for scanning:";"C:\Documents and Settings\Allee\Local Settings\Application Data\;C:\Documents and Settings\Allee\Local Settings\Temp\;C:\Documents and Settings\Allee\Local Settings\Temporary Internet Files\;C:\Documents and Settings\Allee\My Documents\downloads\;C:\Documents and Settings\NetworkService\;"
"Scan started:";"Wednesday, February 09, 2011, 3:11:08 PM"
"Scan finished:";"Wednesday, February 09, 2011, 3:14:23 PM (3 minute(s) 15 second(s))"
"Total object scanned:";"6687"
"User who launched the scan:";"Allee"

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2XXSXXH3\sd[1].exe";"Trojan horse Generic20.CLEL";"Moved to Virus Vault"

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:02 AM

Posted 09 February 2011 - 07:43 PM

Hi alleecmo,

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2XXSXXH3\sd[1].exe";"Trojan horse Generic20.CLEL";"Moved to Virus Vault"

If you set IE to remove the temp internet files every time it's closed down, you won't have to worry about cleaning these.

Start Internet Explorer >> Tools >> Internet Options >> Advanced tab.
Scroll down and place a tick against:
Empty Temporary Internet Files when browser closes.
Click Appy >> OK at the bottom.

I have saved that, TDSSKiller, MBAM, & ESET in my <SANITATION_DEPT> folder & will run them all regularly from now on!!


By all means keep MBAM ( just update it every day and it'll always be ready to use)
TDSSKiller and ESET are always the most up to date versions ...... they don't actually update when on your system.
So they'll need to be removed and a fresh copy downloaded if you ever need them again.

Also, TFC is a great little program to keep.... run it a couple of times a week.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users