Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

reinfected with a bot


  • This topic is locked This topic is locked
7 replies to this topic

#1 websitewendy

websitewendy

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 21 March 2012 - 11:39 AM

posting per
http://www.bleepingcomputer.com/forums/topic446922.html/page__gopid__2638618#entry2638618


GMER opens but only services / registry and /files are available for check marking

holy cow.
i had done some banking on this and now i need to change all of that again ?!



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by websitewendy at 9:29:05 on 2012-03-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8175.5696 [GMT -7:00]
.
AV: ESET Smart Security 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: ESET Smart Security 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Users\websitewendy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\websitewendy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\websitewendy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\websitewendy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\websitewendy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\websitewendy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit=userinit.exe
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\IPS\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
uRun: [Google Update] "C:\Users\websitewendy\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\WEBSIT~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E0D673EF-1FD2-44CC-896B-7AA6CDBBBB86} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{E0D673EF-1FD2-44CC-896B-7AA6CDBBBB86} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E0D673EF-1FD2-44CC-896B-7AA6CDBBBB86}\37570756276627F676 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{E0D673EF-1FD2-44CC-896B-7AA6CDBBBB86}\37570756276627F676 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E0D673EF-1FD2-44CC-896B-7AA6CDBBBB86}\E45445745414258323 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{E0D673EF-1FD2-44CC-896B-7AA6CDBBBB86}\E45445745414258323 : DhcpNameServer = 192.168.1.1
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;C:\Windows\system32\DRIVERS\epfwwfp.sys --> C:\Windows\system32\DRIVERS\epfwwfp.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0601010.008\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0601010.008\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0601010.008\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0601010.008\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120317.002\BHDrvx64.sys [2012-3-20 1157240]
R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\system32\drivers\N360x64\0601010.008\ccSetx64.sys --> C:\Windows\system32\drivers\N360x64\0601010.008\ccSetx64.sys [?]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\system32\DRIVERS\EpfwLWF.sys --> C:\Windows\system32\DRIVERS\EpfwLWF.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120320.002\IDSviA64.sys [2012-3-21 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0601010.008\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0601010.008\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0601010.008\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0601010.008\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2011-9-22 974944]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-18 652360]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\ccsvchst.exe [2012-3-19 138232]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-3-19 138360]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-19 23:17:36 -------- d-----w- C:\Program Files (x86)\ESET
2012-03-19 23:13:36 738936 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\srtsp64.sys
2012-03-19 23:13:36 451192 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\symds64.sys
2012-03-19 23:13:36 405624 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\symnets.sys
2012-03-19 23:13:36 37496 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\srtspx64.sys
2012-03-19 23:13:36 190072 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\ironx64.sys
2012-03-19 23:13:36 167048 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\ccsetx64.sys
2012-03-19 23:13:36 1092728 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\symefa64.sys
2012-03-19 23:13:30 -------- d-----w- C:\Windows\System32\drivers\N360x64\0601010.008
2012-03-19 20:29:14 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-03-19 20:02:30 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-03-19 20:02:30 -------- d-----w- C:\Program Files\Symantec
2012-03-19 20:02:30 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-03-19 20:02:12 -------- d-----w- C:\Windows\System32\drivers\N360x64
2012-03-19 20:02:10 -------- d-----w- C:\Program Files (x86)\Norton 360
2012-03-19 20:02:06 -------- d-----w- C:\ProgramData\NortonInstaller
2012-03-19 20:02:06 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2012-03-19 05:43:59 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2012-03-19 05:40:01 -------- d-----w- C:\ProgramData\ALM
2012-03-19 05:35:25 -------- d-----w- C:\Users\websitewendy\Adobe Flash Builder 4.5
2012-03-19 05:32:27 -------- d-----w- C:\Program Files (x86)\Adobe Story
2012-03-18 20:52:54 -------- d-----w- C:\Users\websitewendy\AppData\Roaming\OpenOffice.org
2012-03-18 20:31:08 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2012-03-18 20:30:24 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-18 18:19:34 -------- d-----w- C:\Users\websitewendy\AppData\Roaming\Malwarebytes
2012-03-18 18:12:03 -------- d-----w- C:\Users\websitewendy\AppData\Roaming\RoboForm
2012-03-18 18:07:40 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-18 18:07:39 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-18 18:07:39 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-18 04:25:22 -------- d-----w- C:\Users\websitewendy\AppData\Local\Google
2012-03-18 04:24:32 -------- d-----w- C:\Users\websitewendy\AppData\Local\Deployment
2012-03-18 04:24:32 -------- d-----w- C:\Users\websitewendy\AppData\Local\Apps
2012-03-17 23:27:15 -------- d-----w- C:\Users\websitewendy\AppData\Local\ElevatedDiagnostics
2012-03-17 22:56:55 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-17 21:29:06 -------- d-----w- C:\Users\websitewendy\AppData\Local\NPE
2012-03-17 21:29:06 -------- d-----w- C:\ProgramData\Norton
2012-03-17 19:00:03 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{10436A80-49B5-41E5-B6AB-6CD41726517D}\mpengine.dll
2012-03-17 18:59:27 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-17 18:59:26 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-17 18:59:26 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-17 18:58:45 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-17 18:58:45 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-17 18:58:45 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-17 18:58:44 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-17 18:58:44 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-17 18:58:44 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-17 18:58:44 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-12 09:28:51 -------- d-----w- C:\Windows\SysWow64\Wat
2012-03-12 09:28:51 -------- d-----w- C:\Windows\System32\Wat
2012-03-12 08:50:17 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-12 08:50:16 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-12 08:50:16 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-12 08:50:15 77312 ----a-w- C:\Windows\System32\packager.dll
2012-03-12 08:50:15 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-03-09 22:36:25 -------- d-----w- C:\Users\websitewendy\AppData\Local\Adobe
2012-03-09 22:03:46 -------- d-----w- C:\Users\websitewendy\AppData\Roaming\ESET
2012-03-09 22:03:46 -------- d-----w- C:\Users\websitewendy\AppData\Local\ESET
2012-03-09 22:03:10 -------- d-----w- C:\Program Files\ESET
2012-03-09 21:30:30 -------- d-----w- C:\Users\websitewendy\AppData\Local\Mozilla
2012-03-09 11:16:43 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-09 10:58:56 -------- d-----w- C:\Users\websitewendy\AppData\Local\ATI
2012-03-09 10:55:37 0 ----a-w- C:\Windows\ativpsrm.bin
2012-03-09 10:51:15 438808 ----a-w- C:\Windows\System32\drivers\iaStor.sys
2012-03-09 10:51:15 -------- d-----w- C:\Intel
2012-03-09 10:48:22 -------- d-----w- C:\Windows\SysWow64\RTCOM
2012-03-09 10:47:58 -------- d-----w- C:\Users\websitewendy\AppData\Roaming\WinBatch
2012-03-09 10:28:30 -------- d-----w- C:\Windows\Panther
.
==================== Find3M ====================
.
2012-02-23 17:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 9:29:54.11 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/9/2012 2:45:03 AM
System Uptime: 3/20/2012 6:37:22 AM (27 hours ago)
.
Motherboard: PEGATRON CORPORATION | | 2AC2
Processor: Intel® Core™ i7-2600S CPU @ 2.80GHz | CPU 1 | 1596/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 1074 GiB total, 1033.488 GiB free.
D: is FIXED (NTFS) - 323 GiB total, 322.945 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
L: is FIXED (NTFS) - 931 GiB total, 831.05 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_2AC2103C&REV_05\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_2AC2103C&REV_05\3&11583659&0&FB
Service:
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_1C3A&SUBSYS_2AC2103C&REV_04\3&11583659&0&B0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_1C3A&SUBSYS_2AC2103C&REV_04\3&11583659&0&B0
Service:
.
Class GUID:
Description: WD SES Device USB Device
Device ID: USBSTOR\OTHER&VEN_WD&PROD_SES_DEVICE&REV_1003\575845314138315230393638&1
Manufacturer:
Name: WD SES Device USB Device
PNP Device ID: USBSTOR\OTHER&VEN_WD&PROD_SES_DEVICE&REV_1003\575845314138315230393638&1
Service:
.
==== System Restore Points ===================
.
RP7: 3/12/2012 3:00:13 AM - Windows Update
RP8: 3/17/2012 11:59:18 AM - Windows Update
RP9: 3/17/2012 12:09:15 PM - Windows Update
RP10: 3/18/2012 1:25:03 PM - Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
RP11: 3/18/2012 1:26:28 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP12: 3/18/2012 1:29:54 PM - Installed Java™ 6 Update 22
RP13: 3/18/2012 1:30:48 PM - Installed OpenOffice.org 3.3
RP14: 3/19/2012 10:44:12 AM - Windows Update
RP15: 3/19/2012 2:43:30 PM - Installed Java™ 6 Update 31
RP16: 3/19/2012 5:13:05 PM - Norton 360 Registry Clean
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Community Help
Adobe Content Viewer
Adobe Creative Suite 5.5 Master Collection
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.2)
Adobe Story
Adobe Widget Browser
Catalyst Control Center - Branding
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
ESET Online Scanner v3
Google Chrome
HydraVision
Intel® Rapid Storage Technology
Java Auto Updater
Java™ 6 Update 31
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Norton 360
OpenOffice.org 3.3
PDF Settings CS5
Realtek High Definition Audio Driver
.
==== Event Viewer Messages From Past Week ========
.
3/20/2012 6:36:39 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
3/20/2012 6:31:39 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
3/20/2012 6:31:09 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
3/19/2012 10:43:01 AM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.57 with the system having network hardware address 00-1B-9E-43-EB-C0. Network operations on this system may be disrupted as a result.
3/19/2012 10:26:35 PM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
3/18/2012 4:34:09 PM, Error: Schannel [36887] - The following fatal alert was received: 47.
3/17/2012 9:40:35 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR5.
.
==== End Of File ===========================


GMER opens but only services / registry and /files are available for check marking

holy cow.
i had done some banking on this and now i need to change all of that again ?!

BC AdBot (Login to Remove)

 


#2 websitewendy

websitewendy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 21 March 2012 - 01:12 PM

i forgot to note that i have HIPS alerts enabled in ESET smart security pro 5 .. and i noticed ~internat.exe on startup was allowed ..
2 different paths .. i didn't copy them.. i turned the machine off .. but one was ~\Run\internat.exe and one was an internet explorer path \internat.exe


crazy crazy crazy

i need a couple files off of the remote drive which was attached to this pc and don't know if i can trust it.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:27 PM

Posted 24 March 2012 - 09:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

i need a couple files off of the remote drive which was attached to this pc and don't know if i can trust it.

If you need some .txt files I do not see any problems. Any file with an other extension may be problematic.

Lets start from the beginning.


Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#4 websitewendy

websitewendy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 25 March 2012 - 02:56 PM

I have TDSSKiller and aswMBR on the machine from the 18th .. but
i'm actually a bit scared to connect it back to my modem to run the update, since the last time they reprogrammed / broke my router ..
getting a new IP from my ISP is unbelievably next to impossible

TDSS ran clean but i don't know how to get the asw files to you ..
i'm too paranoid to use any of my usb sticks on my new computer

any suggestions ?

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:27 PM

Posted 26 March 2012 - 01:18 PM

Transfer the file using a CD. That medium will not get infected.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:27 PM

Posted 01 April 2012 - 09:41 AM

Are you still with me?

#7 websitewendy

websitewendy
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 01 April 2012 - 02:42 PM

hi..
thanks for following up.
i am just too paranoid to deal with that machine .. i'm going to put a new hd in it..
is there any possibility of something being deeper than that ?

back to the external drive files for a minute..
I have narrowed down what i absolutely must have to an excel file, a dozen or so jpgs and a dozen psd's
the timestamps on all of those files are exactly what they should be .. so
1. do infections modify files without modifying timestamps ? (just an educational question for me)
2. if i transfer them to a cd and then to my new machine . .there is no chance of infection of the new machine ?
3. if there is a potential of infection from cd to new machine.. could i open the file on the old machine and save it as something else


thank you !

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:27 PM

Posted 02 April 2012 - 08:15 AM

There is a vely low chance that they could be infected. If they are dated some time ago then the possibility if very low.

Normally a Windows 7 it's easy to clean it. Bite the bullet and run this tool. You may be very surprise of what this tool can find/delete.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users