Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

An "Anonymous Guest" indeed


  • This topic is locked This topic is locked
42 replies to this topic

#1 compromizedsys

compromizedsys

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 11 August 2011 - 09:14 AM

History:

On 28th of July i woke up in terror because my laptop has just booted itself.
At first i thought it might be a prank, so i looked at the BIOS settings, but no auto-boot functions had been activated.
Shortly after turning the zombified laptop off, it booted again.
For some reason i decided to go into safemode and to my surprise i found it unable to boot.
Now i was suspecting that someone might be remotely controling the device.
I cut all network connections, uplugged power, removed the battery and went on doing something totally unrelated.
I have hesitated a while to fix my laptop because i knew it would take an enormous amount of time.
Finally i plugged everything in again, updated Comodo AV, MBAM and SBS&D.
Then, all of a sudden, a FF window opened.
I looked at my Firewall and noticed connections to Ukraine.
Firefox kept reloading the page (starting page), so i shut FF down and disconnected from the network.

***to be continued***

BC AdBot (Login to Remove)

 


#2 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 11 August 2011 - 09:38 AM

A short while after closing FF, i was spammed with a flood of new FF windows opening and loading and refreshing the starting page.
Since performance went down, i decided to reboot. Then i renamed Firefox.exe to firefox1.exe and i could operate again, despite messages informing me that "firefox.exe could not be found" kept popping up of course. I then went on and made IE the standard browser. Since then everything was quiet again. I performed full scans with Comodo, MBAM, SBS&D and Panda Online:
One result (Comodo) - "Packed.Win32.TDSS.~AA".
I then tried "Housecall" Online and it found rootkits "Worm_Prolaco.KA" and "Bkdr_Poison.ABP" which were fixed.
Then Comodo found "TrojWare.Win32.PSW.GamePass.E" and "TrojWare.Win32.Kryptik~NT" in Housecall's Quarantine and fixed these.
(Why couldn't it find them in the wild?)

***to be continued***

#3 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 11 August 2011 - 10:03 AM

"Packed.Win32.TDSS.~AA" originated from a file called "DBSplitter.exe" in the directory of a program called "Anonymous Guest Pro" which i installed recently to look up proxy servers.
Holy Moly, that official website looked so creepy, i should have known not to trust russian software developers who present themselves like that... but i thought "Cultural differences!" and did it anyway.
During the installation Comodo notified me about setup trying to add a new registry entry called ".key".
HKLM/SOFTWARE/Classes/.key
I thought "maybe for registration purposes" and allowed it.
I trusted this program because multiple software sites reported it as "clean and safe to use".
I have uninstalled it meanwhile.

I'm typing this on another "device" since i still cant go into safemode and make sure everything is clean again.

What baffles me is PSW.GamePass.E since i never had installed any "Online Games" for which this little devil seems to be designed.

*sorry for title typo & continued posts but char. limits force me to*

Edited by compromizedsys, 11 August 2011 - 10:26 AM.


#4 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 15 August 2011 - 09:06 AM

a related issue:
housecall mentioned in the description of WORM_PROLACO.KA
that it self-replicates to usb storage devices.
one hint at this might be the creation of a folder called "recycleR" and an "autorun.inf" in the root directory.
i have found a "recycleR" folder on my external HDD, but no "autorun.inf".
i have a folder called "recycleD" on my windows partition, so i wonder if the "recycleR" is legitimate or fake.
/source: http://about-threats.trendmicro.com/malware.aspx?language=us&name=WORM_PROLACO.KA

Housecall report:

C:\Dokumente...\com.jeroenwijerin.players.sol
HIDDEN FILE / Rootkits / WORM_PROLACO.KA
C:\Dokumente...\settings.sol
HIDDEN FILE / Rootkits / BKDR_POISON.ABP

is the last item a variant of the "poison ivy" rootkit discussed here:
http://kb.mozillazine.org/Firefox.exe_always_open ?
Are the infection of .sol files indicating an attack through adobe flash?

thank you for reading.

Edited by compromizedsys, 15 August 2011 - 09:59 AM.


#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 16 August 2011 - 03:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/413898 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 17 August 2011 - 07:00 AM

good day!

1.
I think i have mentioned everything i can recall.

2.
In order to be able to upload the logs from this device, i had to attach the text to an image, i hope this is acceptable.

DDS Log
Defogger Log
Gmer Log

One would have to open these images in notepad to view the log attached.
i dont have any other means to upload Logs atm, since my device restricts upload of certain file types.
sorry to make things complicated.

3.
No, i don't have a CD/DVD, the OS was pre-installed.
I hope there is a work-around, but i might be able to borrow a CD/DVD from a local computer repair shop.

4.
Thank you very much.
Like i already mentioned, i hope my unconventional way of uploading logs is not too annoying, but i don't want to use the affected laptop to upload logs, since it appears the hackers are after my information

Edited by compromizedsys, 17 August 2011 - 07:02 AM.


#7 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 17 August 2011 - 07:14 AM

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.


Yes, i see there is a certain type of infection going viral these days.
I can not even imagine the amount of work it takes to analyze all those logs.
I will try to log in and see if anything has been posted at least once a day.

You might not read this often, helpbot, but you're doing a great job for "a silly little program running on the BleepingComputer.com servers" :) !

Edited by compromizedsys, 17 August 2011 - 07:22 AM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 PM

Posted 18 August 2011 - 01:14 PM

Unfortunately the images you supplied and not readable. In order to help you, we will need the actual log files as replies or attachments in this topic rather than images. Please boot into normal mode, create those logs, and either post them from the infected computer or copy them to a flash drive and post them from another computer.

Without those logs, we will unfortunately be unable to help you. Once you post the necessary logs, please be patient until a Malware Response Team member helps you.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:25 PM

Posted 18 August 2011 - 07:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please carry out HelpBot's and Grinler's instructions above and we can take it from there.
Posted Image
m0le is a proud member of UNITE

#10 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 19 August 2011 - 06:58 AM

Hello Grinler & m0le!
i have used this particular method to attach text to an image.
i have re-downloaded these images from the host site, renamed them to *.txt, opened in notepad and it appears to me that all info is still there.
i have used a dozen blank lines to physically and visually separate the image information from the logs. besides this the logs are in original form and format, located at the bottom.

Well, i could use a flash storage device to upload from another computer, but i am not certain if the risk of usb infection is out of question atm.
How can i protect the foreign computer from usb infection?


Thank you for reading.

edit:
i'll use the method described here to protect the other PC from USB infection, if that's all it takes and the article isnt obsolete.
Your opinion?

Edited by compromizedsys, 19 August 2011 - 07:46 AM.


#11 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 19 August 2011 - 11:27 AM

Hello again, m0le!

I have decided to give the USB autorun prevention method above a try
and as a result i am posting the requested LOGs in the requested manner from someone else's computer.
I just hope that other methods of exploiting USB connectivity have not yet been developed.



DEFOGGER LOG:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:15 on 17/08/2011 (User)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Disabled

-=E.O.F=-




DDS LOG:

DDS (Ver_2011-06-23.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by User at 12:31:19 on 2011-08-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.735.404 [GMT 2:00]
.
AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: Online Armor Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Programme\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Programme\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\avmwlanstick\wlangui.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\avmwlanstick\WlanNetService.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\programme\keyscrambler\KeyScramblerIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [@OnlineArmor GUI] "c:\programme\tall emu\online armor\oaui.exe"
mRun: [AVMWlanClient] c:\programme\avmwlanstick\wlangui.exe
mRun: [COMODO Internet Security] "c:\programme\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\programme\keyscrambler\KeyScramblerIE.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229076368068
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{FE99D185-4C1C-4748-8B6A-12547D3CA167} : DhcpNameServer = 192.168.178.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\programme\hp\hpcoretech\comp\hpuiprot.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\dokumente und einstellungen\user\anwendungsdaten\mozilla\firefox\profiles\hy4bwfvf.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle SSL search
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.4&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\dokumente und einstellungen\user\anwendungsdaten\mozilla\firefox\profiles\hy4bwfvf.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\programme\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: KeyScrambler: keyscrambler@qfx.software.corporation - %profile%\extensions\keyscrambler@qfx.software.corporation
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-7-31 28552]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-1-6 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-1-6 239368]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-2-10 202064]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-2-10 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-2-10 29272]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\programme\comodo\comodo internet security\cmdagent.exe [2011-1-17 1803224]
R2 OAcat;Online Armor Helper Service;c:\programme\tall emu\online armor\oacat.exe [2010-2-10 380784]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\drivers\BazisVirtualCDBus.sys [2010-4-6 98400]
R3 CVIAAUD;Acer VIA 3D Environmental Audio;c:\windows\system32\drivers\cviaaud.sys [1980-1-1 321280]
R3 CVIAHALA;CVIAHALA;c:\windows\system32\drivers\cviahal.sys [1980-1-1 215104]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-1-27 225856]
R3 ViaModem;ViaModem;c:\windows\system32\drivers\ViaModem.sys [1980-1-1 66337]
S0 mgylp;mgylp;c:\windows\system32\drivers\tqgi.sys --> c:\windows\system32\drivers\tqgi.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-2-15 38856]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\aliehci.sys --> c:\windows\system32\drivers\ALIEHCI.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 msav;Moon Secure Antivirus Core;c:\programme\moon secure antivirus\msavcore.exe --> c:\programme\moon secure antivirus\msavcore.exe [?]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-6-23 45440]
S2 SvcOnlineArmor;Online Armor;c:\programme\tall emu\online armor\oasrv.exe [2010-2-10 3652696]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [2006-12-28 4352]
S3 CSTDIDRV;CSTDIDRV;c:\windows\system32\drivers\cstdi50.sys --> c:\windows\system32\drivers\CSTDI50.sys [?]
S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [2007-6-22 265088]
S3 G3GRSC;G3G R Smart Card;c:\windows\system32\drivers\g3grsc.sys [2007-3-12 19328]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [2007-3-12 28416]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [2007-3-12 24576]
S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys --> c:\windows\system32\drivers\gttap1.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-6-23 56960]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 Zsc;Zsc;c:\windows\system32\drivers\Zsc.sys [2010-2-23 78336]
.
=============== Created Last 30 ================
.
2011-08-01 11:22:28 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-31 03:00:15 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-07-31 02:55:39 -------- d-----w- c:\programme\Panda Security
.
==================== Find3M ====================
.
2011-06-06 11:35:26 1859072 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 07:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 10:52:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 12:33:04,06 ===============


Oh boy, oh boy... What a wall of text!
I had to attach the GMER_LOG because it is way too long to post here.
I hope this is appropriate.



Thank you in advance!

Attached Files


Edited by compromizedsys, 19 August 2011 - 11:35 AM.


#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 PM

Posted 19 August 2011 - 11:35 AM

I think this is enough to go on. Did you post the original image-logs from the infected computer?

#13 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 19 August 2011 - 11:41 AM

I think this is enough to go on. Did you post the original image-logs from the infected computer?


No i have posted the images from a PS3, as it is almost "unhackable", but unfortunately can only upload Images, Sound files and Video.
That is why i tried the "unconventional" approach earlier :lmao:

Well, i guess it was fun anyway.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 PM

Posted 19 August 2011 - 12:57 PM

I think it would be ok and safer to just upload the log files going forward directly from the infected computer. Unless it is not letting you of course.

Thanks for the logs. Please be patient till M0le gets back to you.

#15 compromizedsys

compromizedsys
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 19 August 2011 - 05:39 PM

I think it would be ok and safer to just upload the log files going forward directly from the infected computer. Unless it is not letting you of course.

Thanks for the logs. Please be patient till M0le gets back to you.


The reason was, that i am worried about the hacker's return or even giving him/them the time to transfer stolen data from my computer.
As i am unable to go into safe mode, i don't dare to give him/them this advantage.
But now i will stop experimenting with my unusual work-arounds and continue to post the logs from someone else's PC, until all malware is removed.
Thank you for your reply and thanks to m0le for the effort!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users