Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Is my computer (still) infected?

  • This topic is locked This topic is locked
5 replies to this topic

#1 Lunares


  • Members
  • 2 posts
  • Local time:10:03 PM

Posted 23 June 2011 - 01:04 AM

Here is the case, my computer was infected by Ramnit.I, but I noticed pretty quickly. And therefore after I ran ESET and BitDefender and look the logs for weeks now, and there are no infections in the log (There are no traces of the Ramnit.I either). My computer shows no signs of slowing down nevertheless, and everything seem to work fine. However when I ran the GMER scan, it shows that there are some activities/changes caused by the rootkits. Perhaps I'm being paranoid, but can you tell whether my computer has been compromised or not? Thanks in advance.

Note: The reason that the Antimalware updates were timed-out is because of the proxy. The programs of the computer cannot connect to the internet unless it has been configured with the proxy (in this case, proxy.sbm.itb.ac.id).

Here is my log
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Run by Sychev Draienfeld at 12:45:57 on 2011-06-23
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1783.659 [GMT 7:00]
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\Modem AC2726i UI\bin\MonServiceUDisk.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Sychev Draienfeld\Desktop\gmer.exe
============== Pseudo HJT Report ===============
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [SM?RT-Protection] c:\program files\smadav\SM?RTP.exe rtp
uRun: [Mobile Partner] "c:\program files\aha dialer\AHA Dialer.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258} : DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258}\05F6E64756B633 : DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258}\16374727F6F5779666960313 : DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258}\759627160214E67657E6D214E67657E6 : DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258}\759627160214E67657E6D216E67657E60223 : DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258}\84F6473707F64702944524 : DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258}\946435D2734363732373 : DhcpNameServer =
TCP: Interfaces\{3A3B691F-55C5-417D-BD2F-6AEE8DED3258}\D656C6371686F6473707F647D2F6574746F6F627 : DhcpNameServer =
TCP: Interfaces\{3AE21E3D-09DC-46AD-98AA-7701CDADC358} : DhcpNameServer =
TCP: Interfaces\{DECFDD29-DA04-4614-B7E0-5BB268191E01} : DhcpNameServer =
TCP: Interfaces\{FA555411-CD24-466B-A101-55A22D169671} : DhcpNameServer =
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\sychev draienfeld\appdata\roaming\mozilla\firefox\profiles\eba3oiho.default\
FF - prefs.js: network.proxy.ftp - proxy.sbm.itb.ac.id
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - proxy.sbm.itb.ac.id
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy.sbm.itb.ac.id
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.sbm.itb.ac.id
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-20 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-20 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-20 61960]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-3-25 583640]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]
R2 UDisk Monitor;UDisk Monitor;c:\program files\modem ac2726i ui\bin\MonServiceUDisk.exe [2011-5-1 266240]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-3-31 218688]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-2-26 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-10-15 269824]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-6-11 50688]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-6-12 112128]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-3-26 101376]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-26 1343400]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2011-5-1 104704]
=============== Created Last 30 ================
2011-06-21 01:11:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-19 03:58:24 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{73f63240-5529-4ca9-84b9-f2c266cee709}\mpengine.dll
2011-06-18 04:04:52 97792 ----a-w- c:\program files\mozilla firefox\smadav 2011 rev. 8.5\SmadExtc.dll
2011-06-18 04:04:52 1511458 ----a-w- c:\program files\mozilla firefox\smadav 2011 rev. 8.5\Smadav 2011 Rev. 8.5.exe
2011-06-18 04:04:52 101888 ----a-w- c:\program files\mozilla firefox\smadav 2011 rev. 8.5\SmadEngine.dll
2011-06-15 08:19:52 -------- d-----w- c:\program files\ITX Software
2011-06-15 08:04:04 -------- d-----w- c:\users\sychev draienfeld\appdata\roaming\GetRightToGo
2011-06-15 07:36:22 -------- d-----w- C:\SmartDraw VP
2011-06-13 08:09:46 -------- d-----w- c:\users\sychev draienfeld\appdata\roaming\ONScripter-EN
2011-06-12 15:09:55 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2011-06-12 15:09:55 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-06-12 15:09:55 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-06-12 15:09:55 103040 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2011-06-12 15:09:55 102784 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-06-12 15:09:18 -------- d-----w- c:\program files\3 Mobile Broadband
2011-05-31 13:07:36 487479 ----a-w- c:\windows\system32\SkinMagic.dll
2011-05-31 13:07:36 -------- d-----w- c:\program files\Smallvideosoft
==================== Find3M ====================
2011-06-22 15:00:10 1942 --sha-w- c:\programdata\KGyGaAvL.sys
2011-04-06 08:33:48 3464104 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2011-03-31 09:49:14 4105832 ----a-w- c:\windows\system32\RtkAPO.dll
2011-03-31 09:49:14 2160744 ----a-w- c:\windows\system32\RtkPgExt.dll
2011-03-31 04:57:14 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-03-27 12:45:05 88 --sh--r- c:\programdata\6266B36892.sys
2011-03-27 03:23:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
============= FINISH: 12:46:29.46 ===============

Attached Files

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 AM

Posted 02 July 2011 - 08:25 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Lunares

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:03 PM

Posted 07 July 2011 - 01:57 AM

Copy that.
I'm still here.

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 AM

Posted 07 July 2011 - 06:31 PM

Ramnit is a serious infection and I usually choose to option a reformat/reinstall when I see it.

I would like to see if Combofix detects the infector

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 AM

Posted 12 July 2011 - 08:04 PM


I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:03:03 AM

Posted 13 July 2011 - 07:21 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users