Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

3 Types of Trojans detected while doing a complete scan


  • This topic is locked This topic is locked
25 replies to this topic

#1 Stacy Jamie

Stacy Jamie

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 04 March 2011 - 09:48 AM

First, I got a 'HTML/Crypted.Gen [virus]' detected in file Temporary Internet Files\Content.IE5\TEL7PM9A\ddc[1].htm while I was browsing deviantart. When I checked the events log, multiple occurences were in my temp internet files. Action performed: Deny access on all. hxxp://img64.imageshack.us/i/cryptgen.jpg/

Then I did a full MBAM scan and it found a d:\MuA\MUA.exe (Backdoor.Bot). Action performed: Quarantined and deleted successfully.

Did another complete system scan on Avira in safe mode. Nothing was found. Restarted...

Then did one more full MBAM scan, but while it was scanning, Avira alerted me with instances of a 'TR/Trash.Gen [trojan]'
detected in file 'D:\System Volume Information\_restore{6AEDB137-A6B4-438B-B5A3-CFFE59B8F224}\RP160\A0030897.exe. I disabled system restore temporarily to remove them hxxp://img846.imageshack.us/i/trashgen.jpg/

After that, I did another full MBAM and Avira scan and no infections were found. Also did an ESET online scan and no threats were found.

Anyway, they all just popped up today, which is weird, because I do quick scans almost every week or twice a week and full scans every month. I don't know if the 3 types are related or it was a chain reaction. Now, I just want to know if this system is really clean. Thank you.

------------


DDS (Ver_10-12-12.02) - NTFSx86
Run by R3son at 19:04:21.67 on Fri 03/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2469 [GMT 8:00]

AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\R3son\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286566177218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295970346828
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-26 267944]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-10-26 420520]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-26 61960]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-12-26 21992]
S4 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-10-26 339624]

=============== Created Last 30 ================

2011-03-04 09:26:07 -------- d-----w- c:\program files\ESET
2011-03-04 03:04:43 -------- d-----w- c:\program files\CCleaner
2011-02-06 11:16:59 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-06 11:16:55 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-06 11:16:55 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-06 11:14:08 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-02-06 11:14:07 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-02-06 11:14:07 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-02-06 11:14:07 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-02-06 11:14:07 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-02-06 11:14:07 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-02-06 11:14:07 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-02-06 11:14:07 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-02-06 11:14:07 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-02-06 11:14:07 13004800 ----a-w- c:\windows\system32\nvcompiler.dll

==================== Find3M ====================

2011-02-02 13:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 11:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:27:00 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 11:56:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-07 11:56:50 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 11:56:48 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-07 11:56:48 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-07 11:56:48 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-07 11:56:48 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 11:56:48 111208 ----a-w- c:\windows\system32\nvmctray.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:04:46.03 ===============

Attached Files


Edited by Orange Blossom, 04 March 2011 - 12:12 PM.
Deactivated links. ~ OB


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 10 March 2011 - 10:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 10 March 2011 - 10:45 PM

So far, no further infections have been detected lately by MBAM and Avira. Ran an ESET scan also yesterday and no threats were found. I just want to make sure that my system is completely clean.

As for the recent changes, the case was opened because the cpu was upgraded (those errors in the attach.txt -- 3/7/2011 nvgts,cdrom -- were because the cables were all reseated). Here are the fresh logs

----------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by R3son at 4:59:56.98 on Fri 03/11/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2496 [GMT 8:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.
============== Running Processes ===============
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\R3son\Desktop\dds.scr
C:\Program Files\Avira\AntiVir Desktop\checkt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286566177218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295970346828
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-26 267944]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-10-26 421032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-26 61960]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-3-7 22504]
S4 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-10-26 339624]
.
=============== Created Last 30 ================
.
2011-03-10 04:00:09 -------- d-----w- c:\program files\ESET
2011-03-07 11:55:15 22504 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-03-07 11:55:15 -------- d-----w- c:\program files\CPUID
2011-03-04 03:04:43 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-02-06 11:16:59 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-06 11:16:59 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-06 11:16:55 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-02 13:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 11:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27:00 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-01-08 03:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-01-08 03:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 11:56:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-01-07 11:56:50 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 11:56:48 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-01-07 11:56:48 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2011-01-07 11:56:48 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-01-07 11:56:48 13880424 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 11:56:48 111208 ----a-w- c:\windows\system32\nvmctray.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 5:00:15.12 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 12 March 2011 - 07:30 AM

Hello, Stacey Jamie.

My name is etavares and I will be helping you with this log. We've worked together before. This one looks easier. I will warn you about a Backdoor.bot below. The detecting in your temp internet files means you were browsing a poisoned website. It's good that it was caught. The backdoor bot is unrelated. The one in system restore is just an inactive backup of one of those two. Don't forget to turn system restore back on, it appears to be off so you're missing a safety net.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578




Step 1

Let's run MBAM...please update it and run a quick scan and post the resulting log here.


Thanks!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 12 March 2011 - 03:53 PM

Hi! Yes, I remember :)

Anyway, I have 5 questions before starting:

1. If I decide to reformat, will the system be safe even if I only touch the main partition (C:\). I have 2 other partitions and I can't exactly back them up or move them to a spare hd as I have none. Basically, what I'm saying is, won't my system get reinfected (or remain to be compromised) if I don't touch (i.e. format) my other two partitions?

2. I'm not so comfortable changing my p/w's on another computer, so is it ok if I: reformat and change p/w in this PC after the reformat..?

3. I know it is better to err on the side of caution, especially when passwords are involved, but is there a possibility that the file in question could be a false positive? That file was an inactive game that my brother installed way back in Oct 2010. Since then, I've done quite a few Full MBAM scans and nothing was detected until that latest update (when I posted). I know avira has false positives, since I set my hereustic to high/paranoid level, but not so sure with mbam.

4. I mentioned below that I avira is running in background (guard and webguard) while mbam scanned. can it also generate false results?

5. Why didn't the quick scan detect the backdoor.bot?


MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6037

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/13/2011 4:42:00 AM
mbam-log-2011-03-13 (04-42-00).txt

Scan type: Quick scan
Objects scanned: 151880
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Stacy Jamie, 12 March 2011 - 04:14 PM.


#6 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 12 March 2011 - 04:11 PM

I don't know if this will help but I'll be posting 3 logs (from the log history):

Log before infection (FULL SCAN):
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5875

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/26/2011 12:08:15 AM
mbam-log-2011-02-26 (00-08-15).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 313320
Time elapsed: 1 hour(s), 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Log with infection (FULL SCAN):
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5945

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2011 1:27:04 PM
mbam-log-2011-03-04 (13-27-04).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 301890
Time elapsed: 1 hour(s), 1 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\MuA\MUA.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Log after infection (FULL SCAN):
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5949

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2011 4:21:40 PM
mbam-log-2011-03-04 (16-21-40).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 272037
Time elapsed: 52 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------
Some notes:
1. File in question, according to my brother, was a Marvel Ultimate Alliance 1 exe file. Game was installed Oct 10, 2010 and played 2x (no online mode was used). Infection was only found March 4, 2010.

2. I don't turn off avira while MBAM is quick scanning and/or full scanning

3. List of logs and scans done are in this screencap ( hxxp://img856.imageshack.us/i/66830066.jpg/ ) - replace with "tt" .. the one highlighted is the one that is infected. Most of those are quick scans in between the full scans. All except for the blue one are clean and show clean logs.

#7 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 12 March 2011 - 04:15 PM

So sorry about the questions and additional details :( Just want to exhaust every possibility (and learn at the same time) before I reformat.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 13 March 2011 - 06:52 AM

If you decide to reformat, you'd want to do the whole computer. If you only reformat c:\ that's great, but viruses can reside in other paritions. E.g, the Backdoor.Bot was in your D:\ partition.

You can change passwords from anywhere.

It could be a false positive. Mua.exe is known as a Backdoor.Bot, but it's usually in c:\windows\ folder, not in it's own folder. If he downloaded the game from a torrent (peer-to-peer/file-sharing), then I would be very concerned. If it was installed from CD, Steam, or a legitimate game website, then that has a very good chance of being a false positive. Marvel Ultimate Alliance is a legitimate game.

Avira can be running in the background for this so that is OK.

The Quick Scan only searches in some folders on your computer to save time. It chooses locations where the majority of viruses live (e.g. C:\windows\system32\). It does not comprehensively scan your partitions or registry. The difference in time is very large (e.g. 5 minutes versus 1+ hours).

And...don't apologize for asking questions!

So, how do you want to proceed? COnfirm your comptuer is clear, or are you planning on reformatting?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 13 March 2011 - 08:26 AM

I think I'll confirm first that my PC is clear and, from there, plan on backing up my files. Thanks

By the way, the same game from the same cd was installed in his roommates laptop. It didn't have mbam, so he installed it. But when he did a full scan, it came out negative for backdoor.bot. Was it a version/database issue? And can a backdoor bot randomly insert itself into a random exe file?

Edited by Stacy Jamie, 13 March 2011 - 09:04 AM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 13 March 2011 - 10:20 AM

OK, sounds good. A couple more questions.

Did he update MBAM after installing but before scanning? It could have been a false positive they resolved. There are patching viruses, but I don't think we're dealing with one here. And usually, if they patch one EXE, they run rampant over the whole computer, which we're not seeing here.

Your logs looked clean, and based on the MBAM and ESET scans I think you're okay. Is your computer running OK? One thing I did notice was that there weren't any system restore points. Did you turn it off intentionally? If not, viruses often do that and we can reenable it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 13 March 2011 - 10:54 AM

No slowdown problems, except for internet connection latency and speed these past 2 days (but I believe it has something to do with the tsunami in Japan messing with the servers. No erratic behavior that I've seen too.

As for the system restore. I turned it off the moment avira spotted a virus in the restore points. When should I turn it back on?

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 13 March 2011 - 08:27 PM

Hello, Stacey Jamie.

OK, your'e likely clean, but let's look for one more things to be sure.





Step 1

  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 15 March 2011 - 02:25 PM

Will scan as soon as I get home tomorrow.

I also forgot to mention finding this in the registry (Conduit.Engine). I don't know how long it has been installed and all I know is that it is some sort of a toolbar. No traces of it can be found anywhere (save for a folder in the program files and a folder called C:\exclusions .. both of which I deleted), so I assume it was uninstalled already. I just want to know if that registry entry (and any other remnants) can be a cause of those aforementioned viruses and if it is a current cause of concern.

Edit.. CCleaner (Registry cleaner) doenst detect it as an issue, though.

regedit image link hxxp://img340.imageshack.us/i/regcond.jpg/

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 15 March 2011 - 10:12 PM

Hello, Stacey Jamie.

CCleaner is not a malware scanner. It looks for orphaned registry entries. We dont' recommend using the registry cleaner functionality.



Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578






That being said, Conduit toolbars do have a reputed tracking functionality, but I don't think that's what you had based on your description.

If you'd like, we can remove that entry.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Stacy Jamie

Stacy Jamie
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 16 March 2011 - 12:03 AM

With it being uninstalled (and no other traces of "conduit" using the search all files, inc hidden and system), wouldn't it count as an orphaned registry?

But, yes, I'd want it removed.

Thanks.

Am using a different pc in the dorm, at the moment, but I did the rootkit killer scan and nothing was found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users