Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Notice Win32/Obfuscated.GEN and some .exe's keep infected


  • This topic is locked This topic is locked
2 replies to this topic

#1 andecrucio

andecrucio

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 15 April 2011 - 05:40 PM

My .exe's keep infected, I can running some of program, and my antivirus keep quarantine the files.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ande Crucio at 21:33:33.92 on Fri 04/15/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1217 [GMT 7:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Modem AC2726i UI\bin\MonServiceUDisk.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\WTClient.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ande Crucio\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ande crucio\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [WTClient] WTClient.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\docume~1\andecr~1\startm~1\programs\startup\borgchat.lnk - c:\program files\borgchat\BORGChat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\matrix~1.lnk - c:\program files\baroufasoft\matrix screen locker\matrix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\windows\system32\idmmbc.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302483766890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {5EC10701-6DE3-4A22-B735-47ED93C79CAE} = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\andecr~1\applic~1\mozilla\firefox\profiles\3gjsw8xe.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.http - 203.128.84.27
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\ande crucio\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\ande crucio\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\ande crucio\application data\idm\idmmzcc3
FF - Ext: Mobile Barcoder: {A5C87640-F7CF-11DA-974D-0800200C9A66} - %profile%\extensions\{A5C87640-F7CF-11DA-974D-0800200C9A66}
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
.
============= SERVICES / DRIVERS ===============
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2010-10-16 13696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-2-22 114984]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-2-22 810120]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-26 35088]
R2 UDisk Monitor;UDisk Monitor;c:\program files\modem ac2726i ui\bin\MonServiceUDisk.exe [2011-1-22 266240]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2009-6-22 23208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe --> c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-16 1684736]
S3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [2010-12-22 156552]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2009-6-22 14504]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2011-1-22 104704]
.
=============== Created Last 30 ================
.
2011-04-15 10:42:11 -------- d-----w- c:\docume~1\andecr~1\applic~1\Malwarebytes
2011-04-15 10:42:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-15 10:42:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 09:59:59 -------- d-----w- c:\docume~1\andecr~1\locals~1\applic~1\Temp
2011-04-14 09:59:53 -------- d-----w- c:\docume~1\andecr~1\locals~1\applic~1\Google
2011-04-14 09:59:17 -------- d-----w- c:\docume~1\andecr~1\locals~1\applic~1\Deployment
2011-04-13 17:45:27 -------- d-----w- c:\docume~1\andecr~1\locals~1\applic~1\Yahoo
2011-04-13 17:43:29 -------- d-----w- c:\program files\Yahoo!
2011-04-13 11:13:33 -------- d-----w- c:\documents and settings\ande crucio\Tracing
2011-04-13 08:54:46 -------- d-----w- c:\program files\Microsoft
2011-04-13 08:54:25 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-04-13 08:44:39 -------- d-----w- c:\program files\common files\Windows Live
2011-04-13 07:53:08 -------- d-----w- c:\program files\BORGChat
2011-04-12 17:30:42 -------- d-----w- c:\docume~1\andecr~1\applic~1\Xilisoft
2011-04-12 01:48:43 -------- d-----w- c:\program files\TweetDeck
2011-04-11 07:24:53 -------- d-----w- c:\program files\AMD APP
2011-04-11 07:23:06 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-11 07:23:06 1112576 ----a-w- c:\windows\system32\ativvamv.dll
2011-04-11 07:21:36 -------- d-----w- C:\ATI
2011-04-11 05:44:56 -------- d-----w- c:\docume~1\andecr~1\applic~1\Rainmeter
2011-04-11 05:44:50 -------- d-----w- c:\program files\Rainmeter
2011-04-11 01:09:37 -------- d-----w- c:\windows\system32\PreInstall
2011-04-11 01:04:03 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-04-11 00:37:55 -------- d-----w- c:\docume~1\andecr~1\locals~1\applic~1\ESET
2011-04-11 00:37:55 -------- d-----w- c:\docume~1\andecr~1\applic~1\ESET
2011-04-11 00:37:18 -------- d-----w- c:\program files\ESET
2011-04-09 20:19:13 -------- d-----w- c:\program files\BaroufaSoft
2011-04-09 20:18:45 -------- d-----w- c:\program files\WinPcap
2011-04-09 19:11:48 -------- d-----w- c:\windows\Downloaded Installations
2011-04-09 16:54:15 -------- d-----w- c:\program files\GlobFX
2011-04-09 16:38:18 1409 ----a-w- c:\windows\QTFont.for
2011-04-05 23:20:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Solidshield
2011-04-05 23:20:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Electronic Arts
2011-04-05 23:20:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\EA Core
2011-04-02 15:32:00 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-04-02 15:32:00 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-04-02 15:31:59 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-04-02 15:31:59 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-04-02 15:31:59 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-04-02 15:31:59 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-04-02 15:31:59 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-04-02 15:25:01 -------- d-----w- c:\program files\Dragon Age 2
2011-04-02 15:25:01 -------- d-----w- c:\program files\common files\BioWare
2011-04-02 15:18:14 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-04-01 12:53:39 -------- d-----w- c:\program files\Xilisoft
2011-03-21 12:56:22 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-03-21 12:56:06 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-21 12:55:46 12385792 ----a-w- c:\windows\system32\amdocl.dll
2011-03-21 09:27:14 -------- d-----w- c:\program files\Cheat Engine 6
.
==================== Find3M ====================
.
2011-03-15 07:32:13 122219 ----a-w- C:\subafsfile0.bin
2011-03-15 07:32:13 1050688 ----a-w- C:\bin0.bin
2011-03-09 05:44:26 17444864 ----a-w- c:\windows\system32\atioglxx.dll
2011-03-09 05:04:02 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-03-09 05:03:56 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-03-09 05:02:38 4669440 ----a-w- c:\windows\system32\aticaldd.dll
2011-03-09 05:00:12 491520 ----a-w- c:\windows\system32\atiok3x2.dll
2011-03-09 04:51:42 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-03-09 04:48:12 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-03-09 04:47:12 302080 ----a-w- c:\windows\system32\ati2dvag.dll
2011-03-09 04:46:08 4148544 ----a-w- c:\windows\system32\ati3duag.dll
2011-03-09 04:32:20 2681600 ----a-w- c:\windows\system32\ativvaxx.dll
2011-03-09 04:29:34 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-03-09 04:29:24 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-03-09 04:29:18 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-03-09 04:29:12 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-03-09 04:29:02 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-03-09 04:27:58 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-03-09 04:26:50 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-03-09 04:22:54 651264 ----a-w- c:\windows\system32\atikvmag.dll
2011-03-09 04:21:12 200704 ----a-w- c:\windows\system32\atiadlxx.dll
2011-03-09 04:20:52 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-03-09 04:19:40 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-03-09 04:19:40 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-03-09 04:16:18 851968 ----a-w- c:\windows\system32\ati2cqag.dll
2011-02-19 18:09:02 184320 ----a-w- c:\windows\system32\comhost.dll
2011-02-02 14:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 12:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 21:34:05.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 AM

Posted 24 April 2011 - 06:12 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:30 AM

Posted 29 April 2011 - 06:37 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users