Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Struggling with suspected trojan/rootkit


  • This topic is locked This topic is locked
23 replies to this topic

#1 fionna&cake

fionna&cake

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 04 December 2011 - 03:45 AM

Hello, I’m running on a 32 bit Windows 7 OS. These problems started about 5 or so days ago.

When I first noticed the infection, google chrome was open and wiped all my bookmark icons. It then did not allow me to run any more programs after that. I tried itunes, eset, and relaunching chrome. I was afraid of further damage to my computer so I quickly shut it down and started in safe mode.
It also seemed to have attacked my audio drivers, but after resetting the computer all of these problems have vanished, although my desktop background has been erased. No suspicious programs with suspicious descriptions were noted in the taskmanager.


The symptom I have that is consistant is Windows security system is attempting to alert me of infection, but the tab containing the information of what was going on flashed a millisecond fast, making it impossible to read without video capture. It states all my anti virus programs are all disabled, including eset and my security center service. It refuses to let me turn on any of them, and when it does, it just turns them off in a millisecond again, or states “(program name) could not be turned on!” Eset says nothing is wrong with its current state during that time. This instance occurs without fail every time I start into normal mode. I also cannot turn security system back on in safe mode. Same error.

After booting into safe mode, I began scanning with scanners and programs recommended by a friend.

Although most of these scans don’t show anything at all, Eset system inspector and Unhack me have revealed some results.
One file, “LXUFXKE.exe” is detected by eset system inspector and unhack me (when running a start up scan the first few times). Unhack me requested to delete it, which I allowed, and then the computer promptly froze.
After trying this twice and looking at eset’s system inspector I can see it is still there, although invisible. (EDIT, PROGRAM NO LONGER SHOWN IN SYSTEM INSPECTOR, PREVIOUS LOCATION ALSO UNKNOWN)

Ran unhack me regular on-line scan and it detected “NGBNLCNC.EXE” and “catchme.sys” in my AppData\Local\temp folder. Only detected by unhack me and eset system inspector. Attempted to remove them but got the error “file not found”. Then I ran a start up scan and removed them, but they still show up on eset’s sysem inspector. I’ve also tried revealing them via “unhide.exe”, downloaded from bleeping computer. No results.

Another file revealed by eset system inspector is “local\temp\kwloapow.sys”.

SuperantiSpyware claims to have detected “trojan agent/gen-nullo” which I cleaned and rebooted afterward. After a second scan it states my computer is clean.


So far I’ve ran these scans :
  • Gmer (scanned 4 times, log attached, downloaded randomly generated name directly to desktop)
  • Eset 5 (scanned 3 times, one .exe deleted from what I recall, no other results since then)
  • Avg (uninstalled now) (no results)
  • Malware bytes (no results)
  • Norton Power Eraser (one false positive result)
  • TDSSkiller (no results)
  • aswMBR.exe (Avast program) (finds one “suspicious” file, “system 32\apisetchema.dll” )
  • Unhack me (7 invisible results, majority are harmless, primary concern is the first .exe mentioned above)
  • Superanti spyware (found the Trojan)
  • Microsoft safety scan(no results)
  • And combofix. (would have not used it if I knew not to before, many apologies. No apparent results though…)

After another reboot today with unhack me startup scan, I attempted to remove “catchme.sys” and “NGBNLCNC.exe” (to no avail). Unhack me no longer reported “LXUFXKE.exe” being present. I then ran Rkill-twice- it said it did not stop any programs, and the signs of my computer being attacked were still showing.

I then ran Rootkit revealer, which after about an hour scan revealed quite a list of things wrong. I attempted to save the log, and the program froze. I tried scanning it again for the second and third time with the same result. I also opened securitytaskmanager in this time and nothing stood out except superantispyware adblocker. I did all of this with my internet connection turned off for good measure.

I also noticed after leaving my browser open in safe mode for about 20 minutes, there was a suspicious link entered in the blank tab when I returned. See below.
http://d3.zedo.com/jsc/d3/ff2.html?n=790;c=3043;s=2616;d=16;w=1024;h=768

I’d also like to note, I cannot get DDS to download. So, here is my Gmer log. Many thanks to anybody who can help.

Attached Files

  • Attached File  Ark.txt   33.75KB   0 downloads

Edited by fionna&cake, 04 December 2011 - 01:50 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 09 December 2011 - 03:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430641 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 fionna&cake

fionna&cake
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 09 December 2011 - 05:40 PM

I do not have my Windows CD available. I guess I also should note that even though the DDS log states I have AVG and ESET 4 enabled I've uninstalled both and even downloaded an AVG remover to be extra sure before I ran the scan. I'm using ESET Smart Security 5, which I disabled at time of said scan. Thank you.


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Maggie at 12:37:06 on 2011-12-09
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.1858 [GMT -8:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Hamachi\hamachi-2.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\alg.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\fxssvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.arccosine.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" -delete
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\maggie\appdata\roaming\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\maggie\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{E48A5EFB-A58F-4419-B99B-4722E7A94460} : DhcpNameServer = 10.0.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\maggie\appdata\roaming\mozilla\firefox\profiles\xo8wp8rp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=382950&p=
FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll
FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2011-8-9 163424]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-9-22 974944]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2011-8-4 103112]
R2 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-2-11 54632]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\hamachi\hamachi-2.exe [2011-8-15 1361288]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-20 366152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-9 2253120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-9-22 381248]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-11-22 4497704]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-11-22 113448]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2011-11-30 109440]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-20 22216]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-11-22 16168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-17 136176]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 EJTZNUHQVP;EJTZNUHQVP;c:\users\maggie\appdata\local\temp\EJTZNUHQVP.exe [2011-12-3 383872]
S3 EOZ;EOZ;c:\users\maggie\appdata\local\temp\EOZ.exe [2011-12-3 371584]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-17 136176]
S3 HPGM;HPGM;c:\users\maggie\appdata\local\temp\HPGM.exe [2011-12-3 441216]
S3 LJSW;LJSW;c:\users\maggie\appdata\local\temp\LJSW.exe [2011-12-3 482176]
S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2011-12-2 24416]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 VZOO;VZOO;c:\users\maggie\appdata\local\temp\VZOO.exe [2011-12-3 359296]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-25 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S4 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-8-1 2337144]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-5-10 110592]
S4 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-5-10 1858048]
S4 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-5-10 482304]
.
=============== Created Last 30 ================
.
2011-12-06 00:34:41 39936 ----a-w- c:\windows\system32\KEYLIB32.dll
2011-12-06 00:34:41 15840 ----a-w- c:\windows\system32\Machnm1.exe
2011-12-06 00:34:41 117248 ----a-w- c:\windows\system32\SKCL.dll
2011-12-06 00:34:39 -------- d-----w- c:\program files\Educational Simulations
2011-12-06 00:34:39 -------- d-----w- c:\program files\common files\Borland Shared
2011-12-04 05:22:02 -------- d--h--w- c:\windows\PIF
2011-12-03 19:13:39 -------- d-----w- c:\program files\CCleaner
2011-12-03 18:34:04 -------- d-----w- c:\users\maggie\appdata\roaming\SUPERAntiSpyware.com
2011-12-03 18:33:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-03 18:33:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-02 19:58:39 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-02 15:31:01 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-12-02 15:14:57 39192 ----a-w- c:\windows\system32\Partizan.exe
2011-12-02 15:14:57 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2011-12-02 15:14:55 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-12-02 15:11:06 -------- d-----w- c:\programdata\SecTaskMan
2011-12-02 15:11:04 -------- d-----w- c:\program files\Security Task Manager
2011-12-02 07:00:26 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-01 08:09:55 -------- d-----w- c:\programdata\ZeoBIT
2011-12-01 06:26:02 -------- d-----w- C:\kleaner.tmp
2011-12-01 06:23:11 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-12-01 04:44:52 -------- d-----r- C:\comment.htt
2011-12-01 04:26:34 2 --shatr- c:\windows\winstart.bat
2011-12-01 04:26:22 -------- d-----w- c:\program files\UnHackMe
2011-11-30 20:27:43 -------- d-----w- c:\users\maggie\appdata\local\CrashDumps
2011-11-30 19:49:51 -------- d-----w- c:\users\maggie\appdata\local\NPE
2011-11-30 19:42:42 109440 ----a-w- c:\windows\system32\drivers\KbdCap.sys
2011-11-26 08:42:21 -------- d-----w- c:\program files\Workspace Macro 4.6
2011-11-21 21:17:31 -------- d-----w- c:\users\maggie\appdata\roaming\.minecraft
2011-11-21 21:17:12 -------- d-----w- c:\users\maggie\appdata\roaming\minecraft stuff
2011-11-11 18:54:59 -------- d-----w- c:\users\maggie\appdata\local\Skyrim
2011-11-11 18:40:33 -------- d-----w- c:\program files\The Elder Scrolls V Skyrim
2011-11-10 07:40:04 -------- d-----w- c:\users\maggie\appdata\local\ZScreen
2011-11-10 07:40:03 -------- d-----w- c:\users\maggie\appdata\roaming\ZScreen
2011-11-10 07:36:33 -------- d-----w- c:\program files\ZScreen
.
==================== Find3M ====================
.
2011-10-13 20:29:40 42392 ----a-w- c:\windows\system32\xfcodec.dll
2011-09-29 22:48:18 140072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-29 22:48:08 280904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-29 22:48:08 280904 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-29 21:25:09 280904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-09-29 17:57:04 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-09-27 04:33:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-22 19:29:58 321856 ----a-w- c:\windows\system32\nvStreaming.exe
.
============= FINISH: 12:38:26.58 ===============

Attached Files


Edited by fionna&cake, 09 December 2011 - 05:40 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 10 December 2011 - 06:31 AM

Hello, my name is Elise and I'll assist you with this issue.

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or ESET.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 fionna&cake

fionna&cake
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 10 December 2011 - 03:07 PM

I ran another AVG deletion program from the AVG website and rebooted, but it still says I have AVG. I also removed AVG from the add/remove program section in the control panel months ago. It states that eset 4.0 is enabled but I uninstalled eset 4.0 about a week ago and installed eset 5.0, and I temporarily disabled 5.0 for the scan. Anyway, here is the log.

Attached Files


Edited by fionna&cake, 10 December 2011 - 03:09 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 10 December 2011 - 03:19 PM

Hi again, how are things running at this point?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
SecCenter::
{5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 fionna&cake

fionna&cake
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 10 December 2011 - 05:12 PM

Things seem to be getting worse. The notifications seem to be much more active. I've noticed it takes about 5 minutes for the notifications to start appearing and after 15 minutes I'm disallowed access to any program. I get the error,
"Illegal Operation attempted on a registry key that has been marked for deletion." I can run programs fine in the 15 minutes beforehand, though.
Here is the new log!

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 11 December 2011 - 02:50 AM

Restart your computer once, that should take care of the notification.

Please click Start > All Programs > Accessories, right click Command Prompt and select Run as Administrator.

Type sfc /scannow and press enter

Let the system file checker run unhindered and when done let me know how things are running.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 fionna&cake

fionna&cake
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 December 2011 - 03:49 AM

After a restart everything seems A-okay with the notifications. Ran the scan, got this message:
"Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.log windir/logs/cbs/cbs.log"
Should I post the log? Do I paste it or attach it?

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 11 December 2011 - 04:45 AM

No need to post it! :)

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u1.
  • Look for "JDK 7u1 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Please launch MBAM, update it and run a full scan. Post me the resulting log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 fionna&cake

fionna&cake
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 December 2011 - 09:51 AM

Here is the malware bytes log.

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 11 December 2011 - 09:58 AM

Please click Start > All Programs > Windows Update and install all recommended updates including Service Pack 1 for Windows 7.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 fionna&cake

fionna&cake
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 December 2011 - 08:51 PM

After running the four-hour scan It says I have 0 threats and doesn't prompt me to list threats or export any files. I thought this was odd so I looked as unhack me's finds and eset's system inspector finds and they both state I have 5 new EXEs in my temporary folder, along with the good ol' catchme.sys.
Computer running is sort of slow and suspicious and won't load webpages at times. I opened task manager and noticed a suspicious program running (grpconv.exe). Ended it, and now the notifications are back. I really hope I didnt set back any progress! I didn't intend to mess anything up.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 12 December 2011 - 02:21 AM

All mentioned files are legit. What exactly is the notification message?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 fionna&cake

fionna&cake
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 12 December 2011 - 03:32 AM

Same as before, reporting that my antivirus, eset is turned off on its own, and one about both eset and windows defender being turned off. After a restart they it is still there. Actually, I have about 4 of the same popup in my action center window now. Okay, now 8. They are consistantly doubling. All the same messages. But after I close it they dissapear. Also the action center says a backup is in progress, to my DVD drive, which is empty.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users