Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Mebroot trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 blackeagle

blackeagle

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 17 February 2012 - 10:42 AM

Hello,
few days ago nod showed a warning about mebroot trojan
I'm using win7 32bit
Tried using several mebroot removal tools, nothing worked

DDS Logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by ptaku at 15:24:58 on 2012-02-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.48.1045.18.3320.2198 [GMT 1:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
D:\gry\4game\4GameService.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\gry\4game\4GameTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: IplexToALLPlayer: {df925ef3-7a87-44e4-9caf-8d7b280bf616} - c:\progra~1\allpla~1\iplex\IplexToALLPlayer.dll
uRun: [Komunikator] c:\program files\tlen.pl\tlen.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [4gameTray] d:\gry\l2god\4GameTray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{CD91CC69-272E-46B8-B5E5-EC34389CDA7E} : DhcpNameServer = 7.254.254.254
TCP: Interfaces\{F2342BF6-D09E-4DA7-A4BE-7372410C11ED} : NameServer = 194.204.152.34,194.204.159.1
TCP: Interfaces\{F2342BF6-D09E-4DA7-A4BE-7372410C11ED} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ptaku\appdata\roaming\mozilla\firefox\profiles\ha3732o9.default\
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: d:\gry\4game\npplugin4game.dll
.
============= SERVICES / DRIVERS ===============
.
R2 4game;4game;d:\gry\4game\4GameService.exe [2011-12-14 757600]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-17 176128]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-10-16 291840]
R2 AODDriver4.01;AODDriver4.01;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2011-6-24 39424]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-3-24 133512]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-24 810120]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-3-24 96896]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-16 652360]
R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2011-3-12 718072]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-8-26 37944]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-10-17 8598528]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-10-17 257024]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-6-6 211984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-16 20464]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-17 232448]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-12-27 125672]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2011-1-17 27136]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2011-10-28 41600]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-6-11 1119232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2011-4-6 8192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-2-8 15872]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2010-6-11 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2010-6-11 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2010-6-11 32000]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-2-8 52224]
.
=============== Created Last 30 ================
.
2012-02-16 16:43:44 -------- d-----w- c:\users\ptaku\appdata\roaming\Malwarebytes
2012-02-16 16:43:39 -------- d-----w- c:\programdata\Malwarebytes
2012-02-16 16:43:38 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-16 16:43:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-16 14:40:18 388096 ----a-r- c:\users\ptaku\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-16 14:40:17 -------- d-----w- c:\program files\Trend Micro
2012-02-12 01:00:29 -------- d-----w- c:\users\ptaku\appdata\local\BigHugeEngine
2012-02-08 22:07:19 -------- d-----w- c:\windows\system32\SPReview
2012-02-08 22:06:56 -------- d-----w- c:\windows\system32\EventProviders
2012-02-08 22:04:55 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5db2945d-8b00-4b28-8e70-ba2ef777129e}\mpengine.dll
2012-02-08 22:00:04 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-02-08 21:58:59 82944 ----a-w- c:\windows\system32\thumbcache.dll
2012-02-08 21:57:54 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2012-02-08 21:57:54 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2012-02-08 21:57:54 189952 ----a-w- c:\program files\windows portable devices\sqmapi.dll
2012-02-08 21:57:51 189952 ----a-w- c:\windows\system32\sqmapi.dll
2012-02-04 19:43:39 97240 ----a-w- c:\program files\mozilla firefox\libEGL.dll
.
==================== Find3M ====================
.
2012-02-08 23:12:18 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-01-29 04:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-29 18:00:00 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2011-12-21 18:14:02 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-12-07 18:32:24 216064 ----a-w- c:\windows\system32\lagarith.dll
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:25:43,00 ===============
Attached File  Attach.txt   5.68KB   3 downloads
GMER log
Attached File  ark.txt   8.89KB   3 downloads

BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 18 February 2012 - 12:02 PM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days. :)


Hello there, blackeagle

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 18 February 2012 - 12:03 PM

Hi,

Please download DeFogger to your desktop.
Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • If it needs to, DeFogger may ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.

===================================================

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide


Download ComboFix from one of these locations:

Link 1
Link 2



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

===================================================

On your next reply please post :
Combofix log


Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

Edited by Conspire, 18 February 2012 - 12:03 PM.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#4 blackeagle

blackeagle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 18 February 2012 - 12:49 PM

Hi Conspire
Thank You in advance for your assistance
here is the combofix log

ComboFix 12-02-17.02 - ptaku 2012-02-18 18:36:01.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.48.1045.18.3320.2023 [GMT 1:00]
Uruchomiony z: c:\users\ptaku\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Utworzono nowy punkt przywracania
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\text.txt
c:\users\ptaku\AppData\Roaming\mIRC\logs\status.log
c:\windows\RazorDOX
c:\windows\RazorDOX\RazorDOX.dll
c:\windows\system32\GroupPolicy\Machine\Registry.pol
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-01-18 do 2012-02-18 )))))))))))))))))))))))))))))))
.
.
2012-02-18 17:40 . 2012-02-18 17:40 -------- d-----w- c:\users\Kamil\AppData\Local\temp
2012-02-18 17:40 . 2012-02-18 17:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-18 16:31 . 2012-02-18 16:51 -------- d-----w- c:\users\ptaku\DoctorWeb
2012-02-16 16:43 . 2012-02-16 16:43 -------- d-----w- c:\users\ptaku\AppData\Roaming\Malwarebytes
2012-02-16 16:43 . 2012-02-16 16:43 -------- d-----w- c:\programdata\Malwarebytes
2012-02-16 16:43 . 2012-02-16 16:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-16 16:43 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-16 14:40 . 2012-02-16 14:40 388096 ----a-r- c:\users\ptaku\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-16 14:40 . 2012-02-16 14:40 -------- d-----w- c:\program files\Trend Micro
2012-02-12 01:00 . 2012-02-12 01:00 -------- d-----w- c:\users\ptaku\AppData\Local\BigHugeEngine
2012-02-08 22:07 . 2012-02-08 22:07 -------- d-----w- c:\windows\system32\SPReview
2012-02-08 22:06 . 2012-02-08 22:06 -------- d-----w- c:\windows\system32\EventProviders
2012-02-08 22:04 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5DB2945D-8B00-4B28-8E70-BA2EF777129E}\mpengine.dll
2012-02-08 22:00 . 2010-11-05 01:58 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-02-08 21:58 . 2010-11-20 12:29 194432 ----a-w- c:\windows\system32\halmacpi.dll
2012-02-08 21:57 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2012-02-08 21:57 . 2010-11-20 12:21 189952 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2012-02-08 21:57 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2012-02-08 21:57 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\sqmapi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 23:12 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-01-29 04:10 . 2010-06-11 02:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-30 00:04 . 2009-08-18 10:30 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-12-30 00:04 . 2009-08-18 10:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-12-29 18:00 . 2012-01-14 21:02 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2011-12-21 18:14 . 2012-01-14 21:02 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-12-07 18:32 . 2012-01-14 21:02 216064 ----a-w- c:\windows\system32\lagarith.dll
2011-11-24 04:25 . 2011-12-28 03:17 2342912 ----a-w- c:\windows\system32\win32k.sys
2012-02-18 09:33 . 2012-02-04 19:43 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF925EF3-7A87-44E4-9CAF-8D7B280BF616}]
2011-02-09 18:29 400384 ----a-w- c:\progra~1\ALLPLA~1\Iplex\IplexToALLPlayer.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Komunikator"="c:\program files\Tlen.pl\tlen.exe" [2009-01-17 5853672]
"Steam"="c:\program files\Steam\steam.exe" [2012-01-06 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2010-02-10 1713152]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-24 2145000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-16 343168]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate]
2011-08-16 18:30 1379840 ----a-w- c:\program files\ALLPlayer\ALLUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 12:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-12-27 16:57 405736 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 09:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2011-04-06 8192]
R3 cpuz130;cpuz130;c:\users\ptaku\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PBDOWNFORCE_SERVICE;PBDOWNFORCE_SERVICE;c:\users\ptaku\Desktop\sp00frr\PBDownforce.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2010-06-11 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2010-06-11 12672]
R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2010-06-11 32000]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-11 691696]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-24 114984]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-17 176128]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-10-16 291840]
S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [2011-06-24 39424]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-24 133512]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-24 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-24 96896]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2010-11-22 718072]
S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-10-17 8598528]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-10-17 257024]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-06-06 211984]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-17 232448]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2011-08-17 41600]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-01-11 1119232]
.
.
.
------- Skan uzupełniający -------
.
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{F2342BF6-D09E-4DA7-A4BE-7372410C11ED}: NameServer = 194.204.152.34,194.204.159.1
FF - ProfilePath - c:\users\ptaku\AppData\Roaming\Mozilla\Firefox\Profiles\ha3732o9.default\
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
HKLM-Run-4gameTray - d:\gry\L2GoD\4GameTray.exe
AddRemove-{33A22B2D-55BA-4508-B767-BF2E9C21A73F} - c:\program files (x86)\InstallShield Installation Information\{33A22B2D-55BA-4508-B767-BF2E9C21A73F}\setup.exe
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Czas ukończenia: 2012-02-18 18:42:24
ComboFix-quarantined-files.txt 2012-02-18 17:42
.
Przed: 26 716 405 760 bajtów wolnych
Po: 27 776 131 072 bajtów wolnych
.
- - End Of File - - 710054B72A3EB639EC6C129A5E56EDAD

#5 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 18 February 2012 - 10:29 PM

Can you provide the directory of where ESET found the Mebroot infection?
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#6 blackeagle

blackeagle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 19 February 2012 - 06:06 AM

In the operating memory
here is the screenshot
Posted Image

#7 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 19 February 2012 - 08:13 AM

I believe that is a false positive case.

Are you using a Polish based instant messenger?
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#8 blackeagle

blackeagle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 19 February 2012 - 01:38 PM

Yes I am. Do you think its causing the issue?

#9 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 19 February 2012 - 11:12 PM

Well yes. If you still want to continue using it, try removing and and perform a reinstall. If the same thing happens, it's up to you to decide whether you can live with it.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#10 blackeagle

blackeagle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 20 February 2012 - 09:51 AM

I deleted it but nod still detects trojan

#11 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 20 February 2012 - 08:59 PM

Can you quarantine it?
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#12 blackeagle

blackeagle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 21 February 2012 - 07:09 AM

I can't

#13 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 21 February 2012 - 08:15 AM

Are you still seeing the leftovers in C:\Program Files\Tlen.pl?
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 blackeagle

blackeagle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 21 February 2012 - 09:12 AM

Yes, should I delete them?

#15 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 21 February 2012 - 09:28 AM

Go ahead.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users