Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Sirefef.DA and possible Rootkit Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 Brandon Lubbert

Brandon Lubbert

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 25 December 2011 - 02:46 PM

I am trying to restore my wife's computer.

I have have installed Eset Smart Security. When it scans it detected and removed a bunch of

trojan etc. However, it was not able to remove Win32/Sirefef.DA trojan.

I also installed Malwarebytes. It found a bunch of stuff to and it said that things were

cleaned. However, this was not in safe mode.

However, when scanning with Eset Smart Security it still tells me that the Win32/Sirefef.DA

trojan is still there.

Internet Explorer still divert google and tries to open popups. Eset blocks a bunch of web

requests to a unknown website.

This is a Dell Vostro running Windows XP Home 2002 Service Pack 2 Intel Core Duo CPU 1.4 Ghz

2.00 GB of Ram

This computer may very well have had these virus for some time. We had McAfee System

protection but it has been outdated for some time.

I have attached the attach.txt from DDS

So I am requesting help.

Here are the DDS logs:

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Pam at 10:53:41 on 2011-12-25
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1413 [GMT -5:00]
.
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Oberon Media\Parts\1.0.0.16\OberonParts.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2394708
uDefault_Page_URL =

partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=608

0415
uSearch Bar =
uURLSearchHooks: Radio 123 Toolbar: {2c1e21b5-5666-4cd5-8152-96b690b7216e} - c:\program

files\radio_123\prxtbRadi.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Radio 123 Toolbar: {2c1e21b5-5666-4cd5-8152-96b690b7216e} - c:\program

files\radio_123\prxtbRadi.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\dell\bae\BAE.dll
TB: Radio 123 Toolbar: {2c1e21b5-5666-4cd5-8152-96b690b7216e} - c:\program

files\radio_123\prxtbRadi.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop

search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk -

c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program

files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} -

c:\program files\java\jre1.5.0_06\bin\ssv.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DE1BCE1C-D5F9-4621-B630-2627AC47585E} : DhcpNameServer = 192.168.1.1
Notify: NecUsb3Sevice - USB3Nw32.dll
Notify: USB3Nw32 - USB3Nw32.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\pam\application

data\mozilla\firefox\profiles\cilick3s.default\
FF - prefs.js: browser.search.selectedEngine - bing
FF - prefs.js: browser.startup.homepage - hxxp://start.msn.iplay.com/?o=shp
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\pam\application

data\mozilla\firefox\profiles\cilick3s.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323

822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\pam\application

data\mozilla\firefox\profiles\cilick3s.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323

822}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\oberon

media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-9-22 974944]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-2-2 135664]
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2004-8-10 14336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program

files\google\google desktop search\GoogleDesktop.exe [2008-4-15 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe

[2010-2-2 135664]
.
=============== Created Last 30 ================
.
2011-12-25 05:24:56 -------- d-----w- c:\documents and

settings\pam\application data\Malwarebytes
2011-12-25 05:24:48 -------- d-----w- c:\documents and settings\all

users\application data\Malwarebytes
2011-12-25 05:24:45 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-25 05:24:45 -------- d-----w- c:\program files\Malwarebytes'

Anti-Malware
2011-12-22 11:28:00 -------- d-----w- c:\documents and settings\pam\local

settings\application data\ESET
2011-12-19 18:20:45 37888 ----a-w- c:\windows\system32\USB3Nw32.dll
2011-12-09 20:40:14 -------- d-----w- c:\documents and settings\pam\local

settings\application data\Radio_123
2011-12-09 20:39:28 -------- d-----w- c:\program files\Radio_123
2011-12-09 17:18:33 -------- d-----w- c:\documents and settings\all

users\application data\Sandlot Games
2011-12-08 20:28:44 -------- d-----w- c:\documents and settings\all

users\application data\TERMINAL Studio
2011-12-08 20:26:10 -------- d-----w- c:\program files\Oberon Media
2011-12-08 20:26:09 -------- d-----w- c:\program files\MSN Games
2011-12-08 20:26:09 -------- d-----w- c:\documents and settings\all

users\application data\Oberon Media
2011-12-08 20:25:58 -------- d-----w- c:\documents and

settings\pam\application data\Oberon Media
2011-12-08 20:25:46 -------- d-----w- c:\program files\common files\Oberon

Media
.
==================== Find3M ====================
.
.
============= FINISH: 10:54:36.46 ===============




====================================================
====================================================
====================================================
====================================================
====================================================
====================================================
====================================================


Here is the GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-25 14:39:42
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e SAMSUNG_HM121HI rev.LZ100-11
Running: v9hewzyz.exe; Driver: C:\DOCUME~1\Pam\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xB74B34B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xB74B37F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xB74B3AB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xB74B35D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0xB74B38B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xB74B3350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xB74B3410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xB74B3570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xB74B3630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xB74B3530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xB74B34F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xB74B3670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0xB74B3870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xB74B33B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xB74B3430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xB74B3830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xB74B3370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xB74B3470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xB74B35F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FBC 80504828 12 Bytes [B0, 33, 4B, B7, 30, 34, 4B, ...] {MOV AL, 0x33; DEC EBX; MOV BH, 0x30; XOR AL, 0x4b; MOV BH, 0x30; CMP [EBX-0x49], CL}
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB91F0360, 0x307447, 0xE8000020]
.text afd.sys B705F000 125 Bytes [05, B7, 6A, 00, FF, 73, 0C, ...]
.text afd.sys B705F07F 4 Bytes CALL B7065BCC \SystemRoot\System32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation)
.text afd.sys B705F085 61 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
.text afd.sys B705F0C3 41 Bytes [83, C8, FF, 83, C1, 40, 87, ...]
.text afd.sys B705F0ED 45 Bytes [43, 18, 8B, 78, 0C, 66, 81, ...]
.text ...
? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification
? C:\DOCUME~1\Pam\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0389000A
.text C:\WINDOWS\Explorer.EXE[976] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 038A000A
.text C:\WINDOWS\Explorer.EXE[976] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 037F000C
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1080] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\System32\svchost.exe[1676] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013B000A
.text C:\WINDOWS\System32\svchost.exe[1676] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013C000A
.text C:\WINDOWS\System32\svchost.exe[1676] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 013A000C
.text C:\WINDOWS\System32\ping.exe[1864] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[1864] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\ping.exe[1864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\System32\ping.exe[1864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\ping.exe[1864] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text C:\WINDOWS\System32\ping.exe[1864] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\ping.exe[1864] USER32.dll!WindowFromPoint 7E41BD8E 5 Bytes JMP 00BF000A
.text C:\WINDOWS\System32\ping.exe[1864] USER32.dll!GetForegroundWindow 7E41BE4B 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\ping.exe[1864] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00BD000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02D1000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 02D2000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4032] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02D0000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \FileSystem\Fastfat \Fat B271AC8A

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B73AA000-B73C4000 (106496 bytes)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\system@rubiconproject[1].txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@voicefive[1].txt 3743 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@aol[2].txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@bestofyoutube.mevio[2].txt 295 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@www.dugosearch[2].txt 76 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1UV9TN3X\b[1].gif 43 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2MFZYWQP\ErrorPageTemplate[1] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6QH05YWS\data_sync[1].htm 26 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYD66LYH\dnserrordiagoff_webOC[1] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYD66LYH\pts[1].png 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYD66LYH\b[2].gif 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYD66LYH\angelina_jolie_82[1].jpg 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYD66LYH\another_spears_77[1].jpg 7491 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYD66LYH\afr[1].php 3034 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYD66LYH\login_status[1].php 1117 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137 0 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\bckfg.tmp 814 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\keywords 254 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\L 0 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\L\odetmngk 138368 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U 0 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\80000032.@ 97792 bytes
File C:\WINDOWS\$NtUninstallKB41767$\3156639739 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 30 December 2011 - 12:08 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Brandon Lubbert

Brandon Lubbert
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 01 January 2012 - 08:39 AM

They should be exactly the same, as I have had her just shut down the computer until I heard a response, however, I am glad to rerun them for you. Here are the logs that you requested.

We have several computer so she has been using one of them until we get this solved. I will just be shutting down this computer until I hear the next set of instructions.

Thanks so much for your help!

Brandon

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Pam at 0:35:00 on 2012-01-01
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1353 [GMT -5:00]
.
AV: ESET Smart Security 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Oberon Media\Parts\1.0.0.16\OberonParts.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msfeedssync.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2394708
uDefault_Page_URL =

partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=608

0415
uSearch Bar =
uURLSearchHooks: Radio 123 Toolbar: {2c1e21b5-5666-4cd5-8152-96b690b7216e} - c:\program

files\radio_123\prxtbRadi.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Radio 123 Toolbar: {2c1e21b5-5666-4cd5-8152-96b690b7216e} - c:\program

files\radio_123\prxtbRadi.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\dell\bae\BAE.dll
TB: Radio 123 Toolbar: {2c1e21b5-5666-4cd5-8152-96b690b7216e} - c:\program

files\radio_123\prxtbRadi.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10n_Plugin.exe

-update plugin
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop

search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk -

c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program

files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} -

c:\program files\java\jre1.5.0_06\bin\ssv.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134 192.168.0.1
TCP: Interfaces\{DE1BCE1C-D5F9-4621-B630-2627AC47585E} : DhcpNameServer = 68.87.72.134

68.87.77.134 192.168.0.1
Notify: NecUsb3Sevice - USB3Nw32.dll
Notify: USB3Nw32 - USB3Nw32.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\pam\application

data\mozilla\firefox\profiles\cilick3s.default\
FF - prefs.js: browser.search.selectedEngine - bing
FF - prefs.js: browser.startup.homepage - hxxp://start.msn.iplay.com/?o=shp
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\pam\application

data\mozilla\firefox\profiles\cilick3s.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323

822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\pam\application

data\mozilla\firefox\profiles\cilick3s.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323

822}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\oberon

media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-9-22 974944]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-2-2 135664]
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2004-8-10 14336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program

files\google\google desktop search\GoogleDesktop.exe [2008-4-15 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe

[2010-2-2 135664]
.
=============== Created Last 30 ================
.
2011-12-25 05:24:56 -------- d-----w- c:\documents and

settings\pam\application data\Malwarebytes
2011-12-25 05:24:48 -------- d-----w- c:\documents and settings\all

users\application data\Malwarebytes
2011-12-25 05:24:45 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-25 05:24:45 -------- d-----w- c:\program files\Malwarebytes'

Anti-Malware
2011-12-22 11:28:00 -------- d-----w- c:\documents and settings\pam\local

settings\application data\ESET
2011-12-19 18:20:45 37888 ----a-w- c:\windows\system32\USB3Nw32.dll
2011-12-09 20:40:14 -------- d-----w- c:\documents and settings\pam\local

settings\application data\Radio_123
2011-12-09 20:39:28 -------- d-----w- c:\program files\Radio_123
2011-12-09 17:18:33 -------- d-----w- c:\documents and settings\all

users\application data\Sandlot Games
2011-12-08 20:28:44 -------- d-----w- c:\documents and settings\all

users\application data\TERMINAL Studio
2011-12-08 20:26:10 -------- d-----w- c:\program files\Oberon Media
2011-12-08 20:26:09 -------- d-----w- c:\program files\MSN Games
2011-12-08 20:26:09 -------- d-----w- c:\documents and settings\all

users\application data\Oberon Media
2011-12-08 20:25:58 -------- d-----w- c:\documents and

settings\pam\application data\Oberon Media
2011-12-08 20:25:46 -------- d-----w- c:\program files\common files\Oberon

Media
.
==================== Find3M ====================
.
.
============= FINISH: 0:35:56.44 ===============




==================================================
==================================================
==================================================
==================================================
==================================================
==================================================
==================================================
==================================================
==================================================


GMER.txt

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-01 08:32:27
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

SAMSUNG_HM121HI rev.LZ100-11
Running: gmer.exe; Driver: C:\DOCUME~1\Pam\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwAssignProcessToJobObject [0xB73924B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwCreateThread [0xB73927F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwDebugActiveProcess [0xB7392AB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwDuplicateObject [0xB73925D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwLoadDriver [0xB73928B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwOpenProcess [0xB7392350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwOpenThread [0xB7392410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwProtectVirtualMemory [0xB7392570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwQueueApcThread [0xB7392630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwSetContextThread [0xB7392530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwSetInformationThread [0xB73924F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwSetSecurityObject [0xB7392670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwSetSystemInformation [0xB7392870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwSuspendProcess [0xB73923B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwSuspendThread [0xB7392430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwSystemDebugControl [0xB7392830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwTerminateProcess [0xB7392370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwTerminateThread [0xB7392470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)

ZwWriteVirtualMemory [0xB73925F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FBC

80504828 12 Bytes [B0, 23, 39, B7, 30, 24, 39, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

section is writeable [0xB8D04360, 0x307447,

0xE8000020]
.text afd.sys

B7290000 125 Bytes [29, B7, 6A, 00, FF, 73, 0C,

...]
.text afd.sys

B729007F 4 Bytes CALL B7296BCC

\SystemRoot\System32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft

Corporation)
.text afd.sys

B7290085 61 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
.text afd.sys

B72900C3 41 Bytes [83, C8, FF, 83, C1, 40, 87, ...]
.text afd.sys

B72900ED 44 Bytes [43, 18, 8B, 78, 0C, 66, 81, ...]
.text ...


? C:\WINDOWS\System32\drivers\afd.sys

suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1232]

kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00,

00]
.text C:\WINDOWS\System32\ping.exe[1316] ntdll.dll!NtCreateProcess

7C90D14E 5 Bytes JMP 00B9000A
.text C:\WINDOWS\System32\ping.exe[1316] ntdll.dll!NtCreateProcessEx

7C90D15E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[1316] ntdll.dll!NtProtectVirtualMemory

7C90D6EE 5 Bytes JMP 00A4000A
.text C:\WINDOWS\System32\ping.exe[1316] ntdll.dll!NtWriteVirtualMemory

7C90DFAE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\System32\ping.exe[1316] ntdll.dll!KiUserExceptionDispatcher

7C90E47C 5 Bytes JMP 0072000C
.text C:\WINDOWS\System32\ping.exe[1316] USER32.dll!GetCursorPos

7E41BD76 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\ping.exe[1316] USER32.dll!WindowFromPoint

7E41BD8E 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\ping.exe[1316] USER32.dll!GetForegroundWindow

7E41BE4B 5 Bytes JMP 00BF000A
.text C:\WINDOWS\System32\ping.exe[1316] ole32.dll!CoCreateInstance

774FFAC3 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtProtectVirtualMemory

7C90D6EE 5 Bytes JMP 0144000A
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtWriteVirtualMemory

7C90DFAE 5 Bytes JMP 0145000A
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!KiUserExceptionDispatcher

7C90E47C 5 Bytes JMP 0143000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip

epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0

SynTP.sys (Synaptics Touchpad Driver/Synaptics,

Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1

SynTP.sys (Synaptics Touchpad Driver/Synaptics,

Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp

epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp

epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp

epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** )

B72B1000-B72CB000 (106496 bytes)



---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet

Files\Content.IE5\E0N10N7V\search[1].htm 0 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137

0 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\@

2048 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\bckfg.tmp

878 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\cfg.ini

208 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\Desktop.ini

4608 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\keywords

254 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\kwrd.dll

223744 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\L

0 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\L\odetmngk

138368 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\lsflt7.ver

5176 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U

0 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\00000001.@

2048 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\00000002.@

224768 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\00000004.@

1024 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\80000000.@

11264 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\80000004.@

12800 bytes
File C:\WINDOWS\$NtUninstallKB41767$\2647015137\U\80000032.@

77312 bytes
File C:\WINDOWS\$NtUninstallKB41767$\3156639739

0 bytes

---- EOF - GMER 1.0.15 ----

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 03 January 2012 - 05:39 AM

Hi there,



Firstly I need to tell you about the risks your computer is exposed to.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.







=====================================================================================


If you decide to continue please go to Start->Run and type notepad into the box.
A Notepad window should pop up.
Go to Format and select Word Wrap for a better visualization on your logs.

========================================================================

Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.







Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Brandon Lubbert

Brandon Lubbert
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 04 January 2012 - 02:15 PM

Thankfully, this computer has never really been used for sensitive information, except maybe to do a credit transaction many months ago. (I watch the account like a hawk.) I think that I am going to try and reformat the hard drive. This might be the easier way to go since the information on this hard drive is not super important. Thanks so much for all your help with this. Now I just have to find the restore disks. Brandon

#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 05 January 2012 - 03:09 PM

Hi there,


We understand :) . Do you have any questions left?



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:07 AM

Posted 10 January 2012 - 11:34 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users