Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse


  • This topic is locked This topic is locked
11 replies to this topic

#1 frente158

frente158

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 02 April 2012 - 07:37 PM

It appears that my symantec antivirus blocks a bunch of trojan horse and put them in quarantined. The files are something like DWHFA0D.TMP, all of them are .tmp. But everytime are more and more, right now are like 70 .tmp files. When I look in the path that symantec report, off course there is nothing there.

Please help. thanks. Above is the hijackthis log file.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:32:07 PM, on 4/2/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\devenv.exe
C:\Program Files\Common Files\Microsoft Shared\DevServer\10.0\WebDev.WebServer40.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DWHWizrd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Ivan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} (WebClient Control) - http://192.168.98.9:100/WebClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6122 bytes

Edit: Moved topic from Introductions to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 PM

Posted 08 April 2012 - 07:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/448617 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 frente158

frente158
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 10 April 2012 - 10:24 AM

Here are the log files create when I ran the DDS. Thanks.

Attached Files



#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:07 PM

Posted 10 April 2012 - 10:50 AM

Hello frente158,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================

Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

====================================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Please uncheck the following settings that we do not want in our scan.
    • IAT/EAT
    • Drives/Partition other yhan Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


In your next reply, please copy/paste the contents of the following:
  • gmer.log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 frente158

frente158
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 11 April 2012 - 10:27 PM

Here is the result of the scan


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-11 23:26:30
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK2546GSX rev.LB014C
Running: 3denqb17.exe; Driver: C:\Users\Ivan\AppData\Local\Temp\kxldrpog.sys


---- System - GMER 1.0.15 ----

SSDT 85C47B10 ZwAlertResumeThread
SSDT 85AA3660 ZwAlertThread
SSDT 85C2F0B8 ZwAllocateVirtualMemory
SSDT 859750B0 ZwConnectPort
SSDT 85ABE838 ZwCreateMutant
SSDT 85BF30B0 ZwCreateThread
SSDT 85C3AB68 ZwFreeVirtualMemory
SSDT 85ABEF28 ZwImpersonateAnonymousToken
SSDT 85ABC208 ZwImpersonateThread
SSDT 85ABC7D0 ZwMapViewOfSection
SSDT 85ABE4D8 ZwOpenEvent
SSDT 85AC5AC8 ZwOpenProcessToken
SSDT 85AD1F18 ZwOpenThreadToken
SSDT \??\C:\Windows\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0x8E6CC8B0]
SSDT 85A91AD8 ZwResumeThread
SSDT 85ABCA20 ZwSetContextThread
SSDT 85AC5930 ZwSetInformationProcess
SSDT 85AD15D8 ZwSetInformationThread
SSDT 85C0EDD8 ZwSuspendProcess
SSDT 85AC5528 ZwSuspendThread
SSDT 85AD1158 ZwTerminateProcess
SSDT 85AB8418 ZwTerminateThread
SSDT 85AD1388 ZwUnmapViewOfSection
SSDT 85C3A0C0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82A533D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A8CD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82A93DD0 8 Bytes [10, 7B, C4, 85, 60, 36, AA, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A93DE8 4 Bytes [B8, F0, C2, 85]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82A93E88 4 Bytes [B0, 50, 97, 85]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82A93EC4 4 Bytes CALL E972C474
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82A93EF8 4 Bytes [B0, 30, BF, 85]
.text ...
? C:\Users\Ivan\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtCreateFile + 6 779855CE 4 Bytes [28, 00, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtCreateFile + B 779855D3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtMapViewOfSection + 6 77985C2E 1 Byte [28]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtMapViewOfSection + 6 77985C2E 4 Bytes [28, 03, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtMapViewOfSection + B 77985C33 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenFile + 6 77985CDE 4 Bytes [68, 00, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenFile + B 77985CE3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenProcess + 6 77985D8E 4 Bytes [A8, 01, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenProcess + B 77985D93 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenProcessToken + 6 77985D9E 4 Bytes CALL 769893A4 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenProcessToken + B 77985DA3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenProcessTokenEx + 6 77985DAE 4 Bytes [A8, 02, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenProcessTokenEx + B 77985DB3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenThread + 6 77985E0E 4 Bytes [68, 01, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenThread + B 77985E13 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenThreadToken + 6 77985E1E 4 Bytes [68, 02, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenThreadToken + B 77985E23 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenThreadTokenEx + 6 77985E2E 4 Bytes CALL 76989435 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtOpenThreadTokenEx + B 77985E33 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtQueryAttributesFile + 6 77985F3E 4 Bytes [A8, 00, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtQueryAttributesFile + B 77985F43 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtQueryFullAttributesFile + 6 77985FEE 4 Bytes CALL 769895F3 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtQueryFullAttributesFile + B 77985FF3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtSetInformationFile + 6 7798663E 4 Bytes [28, 01, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtSetInformationFile + B 77986643 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtSetInformationThread + 6 7798669E 4 Bytes [28, 02, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtSetInformationThread + B 779866A3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtUnmapViewOfSection + 6 779869BE 1 Byte [68]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtUnmapViewOfSection + 6 779869BE 4 Bytes [68, 03, 36, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3116] ntdll.dll!NtUnmapViewOfSection + B 779869C3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtCreateFile + 6 779855CE 4 Bytes [28, 00, 33, 00] {SUB [EAX], AL; XOR EAX, [EAX]}
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtCreateFile + B 779855D3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtMapViewOfSection + 6 77985C2E 1 Byte [28]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtMapViewOfSection + 6 77985C2E 4 Bytes [28, 03, 33, 00] {SUB [EBX], AL; XOR EAX, [EAX]}
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtMapViewOfSection + B 77985C33 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenFile + 6 77985CDE 4 Bytes [68, 00, 33, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenFile + B 77985CE3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenProcess + 6 77985D8E 4 Bytes [A8, 01, 33, 00] {TEST AL, 0x1; XOR EAX, [EAX]}
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenProcess + B 77985D93 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenProcessToken + 6 77985D9E 4 Bytes CALL 769890A4 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenProcessToken + B 77985DA3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenProcessTokenEx + 6 77985DAE 4 Bytes [A8, 02, 33, 00] {TEST AL, 0x2; XOR EAX, [EAX]}
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenProcessTokenEx + B 77985DB3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenThread + 6 77985E0E 4 Bytes [68, 01, 33, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenThread + B 77985E13 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenThreadToken + 6 77985E1E 4 Bytes [68, 02, 33, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenThreadToken + B 77985E23 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenThreadTokenEx + 6 77985E2E 4 Bytes CALL 76989135 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtOpenThreadTokenEx + B 77985E33 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtQueryAttributesFile + 6 77985F3E 4 Bytes [A8, 00, 33, 00] {TEST AL, 0x0; XOR EAX, [EAX]}
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtQueryAttributesFile + B 77985F43 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtQueryFullAttributesFile + 6 77985FEE 4 Bytes CALL 769892F3 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtQueryFullAttributesFile + B 77985FF3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtSetInformationFile + 6 7798663E 4 Bytes [28, 01, 33, 00] {SUB [ECX], AL; XOR EAX, [EAX]}
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtSetInformationFile + B 77986643 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtSetInformationThread + 6 7798669E 4 Bytes [28, 02, 33, 00] {SUB [EDX], AL; XOR EAX, [EAX]}
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtSetInformationThread + B 779866A3 1 Byte [E2]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtUnmapViewOfSection + 6 779869BE 1 Byte [68]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtUnmapViewOfSection + 6 779869BE 4 Bytes [68, 03, 33, 00]
.text C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe[3952] ntdll.dll!NtUnmapViewOfSection + B 779869C3 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp wpsdrvnt.sys

Device \Driver\ACPI_HAL \Device\00000056 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp wpsdrvnt.sys

---- EOF - GMER 1.0.15 ----

#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:07 PM

Posted 12 April 2012 - 04:58 AM

Hello frente158,

Please download ComboFix from here:

Link


* IMPORTANT !!! Save ComboFix.exe to your Desktop.

  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Right click on ComboFix icon Posted Image and run as admin then follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

====================================================================================

I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • C:\Combofix.txt
  • aswMBR Log


How is your machine behaving now?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 frente158

frente158
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 12 April 2012 - 09:53 PM

ComboFix 12-04-12.03 - Ivan 04/12/2012 21:20:05.1.1 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2039.1183 [GMT -4:00]
Running from: c:\users\Ivan\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ivan\AppData\Local\Temp\qltusegb.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
.
.
2012-04-12 14:21 . 2012-04-12 14:21 -------- d-----w- c:\users\Ivan\AppData\Roaming\Microsoft Corporation
2012-04-10 01:22 . 2012-04-10 01:22 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-09 17:36 . 2012-02-03 03:54 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-04-09 17:36 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-04-09 17:34 . 2011-08-13 04:18 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2012-04-09 17:34 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-09 17:34 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-09 17:34 . 2012-01-25 05:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-09 17:34 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-04-09 17:34 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-09 17:34 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-09 17:31 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-09 17:31 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-23 01:09 . 2012-03-23 01:09 -------- d-----w- c:\users\Ivan\AppData\Local\CrashDumps
2012-03-22 17:56 . 2012-03-22 17:56 -------- d-----w- c:\program files\Common Files\Cisco
2012-03-21 22:23 . 2012-03-21 22:23 388096 ----a-r- c:\users\Ivan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-21 22:23 . 2012-03-21 22:23 -------- d-----w- c:\program files\Trend Micro
2012-03-20 23:06 . 2012-03-20 23:06 -------- d-----w- c:\users\Ivan\AppData\Roaming\Malwarebytes
2012-03-20 23:05 . 2012-03-20 23:05 -------- d-----w- c:\programdata\Malwarebytes
2012-03-20 23:05 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-20 23:05 . 2012-03-20 23:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-17 01:58 . 2012-03-19 02:15 -------- d-----w- c:\users\Ivan\AppData\Local\NPE
2012-03-17 01:58 . 2012-03-17 01:59 -------- d-----w- c:\programdata\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-10 14:15 . 2011-09-28 23:10 2379552 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-04-10 01:22 . 2011-09-29 02:54 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2011-09-01 540088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2010-08-19 19:23 3069192 ----a-w- c:\program files\TechSmith\Jing\Jing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2011-05-13 20:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 253600]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 SQLAgent$DELETEFORVB;SQL Server Agent (DELETEFORVB);c:\program files\Microsoft SQL Server\MSSQL10_50.DELETEFORVB\MSSQL\Binn\SQLAGENT.EXE [2011-06-18 370016]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-29 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 44896]
R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [2011-09-22 238696]
R4 RsFx0151;RsFx0151 Driver;c:\windows\system32\DRIVERS\RsFx0151.sys [2011-06-18 240736]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-09-22 370024]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2011-06-18 214880]
S2 MSOLAP$DELETEFORVB;SQL Server Analysis Services (DELETEFORVB);c:\program files\Microsoft SQL Server\MSAS10_50.DELETEFORVB\OLAP\bin\msmdsrv.exe [2011-06-18 25825120]
S2 MSSQL$DELETEFORVB;SQL Server (DELETEFORVB);c:\program files\Microsoft SQL Server\MSSQL10_50.DELETEFORVB\MSSQL\Binn\sqlservr.exe [2011-06-18 43040096]
S2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2011-09-01 1233848]
S2 ReportServer$DELETEFORVB;SQL Server Reporting Services (DELETEFORVB);c:\program files\Microsoft SQL Server\MSRS10_50.DELETEFORVB\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2011-06-18 1182048]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-03 106104]
S3 MSSQLFDLauncher$DELETEFORVB;SQL Full-text Filter Daemon Launcher (DELETEFORVB);c:\program files\Microsoft SQL Server\MSSQL10_50.DELETEFORVB\MSSQL\Binn\fdlauncher.exe [2010-04-03 28512]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KXLDRPOG
*Deregistered* - kxldrpog
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 01:22]
.
2012-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-895594166-3422555335-2883573796-1000Core.job
- c:\users\Ivan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-29 04:21]
.
2012-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-895594166-3422555335-2883573796-1000UA.job
- c:\users\Ivan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-29 04:21]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 131.94.7.220 131.94.205.10 131.94.226.10
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://192.168.98.9:100/WebClient.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Wdf01000.sys
SafeBoot-Symantec Antvirus
AddRemove-{34D2AB40-150D-475D-AE32-BD23FB5EE355} - c:\program files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-04-12 21:33:24
ComboFix-quarantined-files.txt 2012-04-13 01:33
.
Pre-Run: 107,960,893,440 bytes free
Post-Run: 108,711,337,984 bytes free
.
- - End Of File - - ED7D8CF7DF615FDBFBE6F6662167450A



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-12 22:49:39
-----------------------------
22:49:39.289 OS Version: Windows 6.1.7601 Service Pack 1
22:49:39.289 Number of processors: 1 586 0xE0C
22:49:39.291 ComputerName: IVAN-PC UserName: Ivan
22:49:42.733 Initialize success
22:50:29.001 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
22:50:29.009 Disk 0 Vendor: TOSHIBA_MK2546GSX LB014C Size: 238475MB BusType: 11
22:50:29.035 Disk 0 MBR read successfully
22:50:29.043 Disk 0 MBR scan
22:50:29.047 Disk 0 Windows 7 default MBR code
22:50:29.053 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 226337 MB offset 63
22:50:29.090 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 12135 MB offset 463539510
22:50:29.098 Disk 0 scanning sectors +488392065
22:50:29.166 Disk 0 scanning C:\Windows\system32\drivers
22:50:42.873 Service scanning
22:51:18.298 Service SysPlant C:\Windows\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
22:51:19.053 Service Teefer2 C:\Windows\system32\DRIVERS\teefer2.sys **LOCKED** 32
22:51:27.136 Service WPS C:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
22:51:27.619 Service WpsHelper C:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
22:51:29.479 Modules scanning
22:51:48.713 Disk 0 trace - called modules:
22:51:48.739 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys HSX_CNXT.sys
22:51:48.747 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85630510]
22:51:48.760 3 CLASSPNP.SYS[889b159e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x85187908]
22:51:48.773 Scan finished successfully
22:52:14.139 Disk 0 MBR has been saved successfully to "C:\Users\Ivan\Desktop\MBR.dat"
22:52:14.156 The log file has been saved successfully to "C:\Users\Ivan\Desktop\aswMBR.txt"

#8 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:07 PM

Posted 13 April 2012 - 04:43 AM

Hi,

I'd like you to run a scan with Malwarebytes (ensuring that virus definitions are up to date) and copy/paste it's log in your next reply.

How is your machine behaving now?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#9 frente158

frente158
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 13 April 2012 - 05:22 PM

Here is the log, I ran a quick scan. I did that before posting here but it didn't find anything. The computer seem to be good, it did stop creating all those temp files.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.13.07

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Ivan :: IVAN-PC [administrator]

4/13/2012 3:17:20 PM
mbam-log-2012-04-13 (15-17-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197366
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:07 PM

Posted 14 April 2012 - 08:41 AM

Hello frente158,

Looking good. Let's try another scan:

I'd like us to scan your machine with ESET OnlineScan
  • Right click on the following link and open ESET OnlineScan in a new window.ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


In your next reply, please copy/paste the contents of the following:
  • ESETScan


How is your machine now? Any outstanding issues?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:07 PM

Posted 18 April 2012 - 08:24 AM

Hello frente158,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#12 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:07 PM

Posted 20 April 2012 - 09:33 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users