Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS.txt done but not able to run GMER. Ramint infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 tomatot4

tomatot4

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 19 March 2012 - 07:08 AM

Hi,

As per the guide, I have run the DDS script. Below is the log.
However, I am not able to run gmer.exe correctly.
error message :
LoadDriver("C:Users\xyz\AppData\Local\Temp\kxldqpod.sys")
error 0xC000010E: An instance of the service is already running.

On clicking OK the program starts but I am only able to check the following boxes:
Services
Regitry
Files (C:\ , D:\ , E:\ )
ADS

Please suggest what could be the problem and probable solutions.

Also, if I right click on anything other than a folder, the windows explorer (explorer.exe) stops running and restarts.

Thanks!!


DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_29
Run by NoBo at 22:50:37 on 2012-03-19
Microsoft Windows 7 Alienware 2010 6.1.7600.0.1252.1.1033.18.3001.1952 [GMT 11:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\ChgService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Users\NoBo\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Samsung\Kies\External\DeviceModules\ErrorReport.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mSearchAssistant = hxxp://start.facemoods.com/?a=ddr&s={searchTerms}&f=4
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\users\nobo\appdata\local\rmsfwjmj\askrhjva.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.0.13\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [KiesHelper] c:\program files\samsung\kies\KiesHelper.exe /s
uRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
uRun: [Google Update] "c:\users\nobo\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Welcome Center] c:\windows\system32\rundll32.exe c:\windows\system32\OobeFldr.dll,ShowWelcomeCenter LaunchedBy_StartMenuShortcut
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [<NO NAME>]
StartupFolder: c:\users\nobo\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{21863E57-AB54-435E-9A84-AC932DD44E51} : DhcpNameServer = 10.1.1.1
TCP: Interfaces\{21863E57-AB54-435E-9A84-AC932DD44E51}\2496E61647F6E656 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{21863E57-AB54-435E-9A84-AC932DD44E51}\378616274657C6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{21863E57-AB54-435E-9A84-AC932DD44E51}\5434F4455485 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{21863E57-AB54-435E-9A84-AC932DD44E51}\C496E6B637973723 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{86901797-67D5-4076-BFFF-33957E869611} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nobo\appdata\roaming\mozilla\firefox\profiles\4ick8i76.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\nobo\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207000.00d\symds.sys [2012-1-31 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207000.00d\symefa.sys [2012-1-31 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20120302.001\BHDrvx86.sys [2012-3-2 820856]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20120316.005\IDSvix86.sys [2012-3-16 368248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys [2012-1-31 136312]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\nis\1207000.00d\symnets.sys [2012-1-31 299640]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-4 63928]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2010-11-13 135168]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-11-15 217088]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-1-31 130008]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-18 106104]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-11-15 36640]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-14 229888]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-16 6114816]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-18 652360]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2010-11-13 105984]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-9-8 101120]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-7-26 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-7-26 8576]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-13 1343400]
S3 wirelessusbser;Wireless USB Device for Legacy Serial Communication;c:\windows\system32\drivers\3GDatausbser.sys [2009-4-7 102656]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2012-03-19 10:05:21 -------- d-----w- c:\users\nobo\appdata\local\Apple
2012-03-19 09:55:46 -------- d-----w- c:\program files\VideoLAN
2012-03-18 23:22:31 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-03-18 12:53:53 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{68502e5d-bdbc-4bd5-b2e0-98849b3affa8}\mpengine.dll
2012-03-18 12:53:51 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-18 04:02:11 -------- d-----w- c:\program files\ESET
2012-03-18 01:14:01 -------- d-----w- c:\users\nobo\appdata\roaming\SUPERAntiSpyware.com
2012-03-18 01:12:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-18 01:12:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-18 00:51:22 -------- d-----w- c:\users\nobo\appdata\roaming\Malwarebytes
2012-03-18 00:51:04 -------- d-----w- c:\programdata\Malwarebytes
2012-03-18 00:51:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-04 02:02:06 -------- d-----w- c:\program files\FIFA 12
2012-03-02 12:50:14 -------- d-----w- c:\programdata\EA Core
2012-03-02 12:50:13 -------- d-----w- c:\programdata\Electronic Arts
2012-03-02 12:46:11 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2012-03-02 12:33:54 -------- d-----w- c:\program files\EA SPORTS
2012-03-01 11:33:58 -------- d-----w- c:\program files\Microsoft IntelliPoint
.
==================== Find3M ====================
.
2012-03-09 23:09:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 22:58:12.43 ===============

BC AdBot (Login to Remove)

 


#2 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 22 March 2012 - 07:49 AM

Hi tomatot4,

Which tool identified a Ramnit infection? Unfortunately in most cases of Ramnit, the only way forward is to reformat the PC and reinstall; Ramnit is a file infector that is incredibly hard to eradicate completely once it's taken hold. We'll confirm the infection first, and how infected the machine is, but be aware a full reformat and reinstall could be needed.

I also note that you have a modified/cracked version of Windows 7 running: Microsoft Windows 7 Alienware 2010

This isn't a legitimate version of Windows, as such the help we can provide you is limited. Due to the OS installed, and the type of infection reported, I would recommend a full reformat and the installation of a legitimate version of Windows 7. If you do not have a legitimate version, and don't wish to buy one, there are plenty of free Linux OS versions out there.

If you wish to continue, we'll verify the type of infection on the machine first.

Please go to here to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
------------------------------------------------------

#3 Will Watts

Will Watts

  • Malware Response Team
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 PM

Posted 28 March 2012 - 03:07 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users