Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is infected with a undetectable trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 Slayer90

Slayer90

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 19 April 2012 - 03:22 PM

This week starting Monday My computer suddenly becomes really slow, unresponsive. It freezes every so often. Last week and before My computer is fine. I did no install any new add on nether last week or this week. In the past I had problems with these type hard to detect trojans before.

This guy here recommend I go here.
http://www.bleepingcomputer.com/forums/topic450578.html

All logs below are done of April 19 2012.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by alvin at 13:26:12 on 2012-04-19
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1049 [GMT -7:00]
.
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={04AB23DF-7BE0-4516-8832-E4FE912063EE}&mid=b0557703bfcb47d08d33d1509db84070-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=od011&pr=sa&d=2012-04-18 17:42:09&v=10.2.0.3&sap=hp
uSearch Bar = Preserve
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.7.1.3\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: samsungsetup.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{55B7C7B4-46C4-432F-A42D-13B216CBE3CD} : DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bcf8a7f59-fee4-4135-b48f-be787814ecc5%7D&mid=b0557703bfcb47d08d33d1509db84070-06ce4fc639803a2e3563922518183d8e94088cb9&ds=od011&v=10.2.0.3&lang=en&pr=sa&d=2012-04-18%2017%3A42%3A09&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko5.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko7.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko8.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko9.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\users\alvin\appdata\roaming\mozilla\firefox\profiles\aad1f5qt.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Easy YouTube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\IPSFFPlgn
FF - Ext: AVG Security Toolbar: avg@toolbar - c:\programdata\avg secure search\10.2.0.3
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1207010.003\symds.sys [2012-4-3 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1207010.003\symefa.sys [2012-4-3 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\bashdefs\20120413.001\BHDrvx86.sys [2012-4-17 821880]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.6.0.29\definitions\ipsdefs\20120418.001\IDSvix86.sys [2012-4-18 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1207010.003\ironx86.sys [2012-4-3 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1207010.003\symtdiv.sys [2012-4-3 331384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-8-5 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-9 654408]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.7.1.3\ccsvchst.exe [2012-4-3 130008]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-4-18 918880]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-3 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-9 22344]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-2 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 253088]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-2 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-19 00:42:08 -------- d-----w- c:\programdata\AVG Secure Search
2012-04-19 00:42:05 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-04-19 00:42:03 -------- d-----w- c:\program files\AVG Secure Search
2012-04-19 00:41:24 -------- d--h--w- c:\programdata\Common Files
2012-04-19 00:41:10 -------- d-----w- c:\users\alvin\appdata\roaming\OpenCandy
2012-04-13 05:16:02 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-13 05:01:32 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-13 05:01:32 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-12 00:10:40 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-04-03 21:41:13 744568 ----a-r- c:\windows\system32\drivers\nav\1207010.003\symefa.sys
2012-04-03 21:41:13 516216 ----a-r- c:\windows\system32\drivers\nav\1207010.003\srtsp.sys
2012-04-03 21:41:13 50168 ----a-r- c:\windows\system32\drivers\nav\1207010.003\srtspx.sys
2012-04-03 21:41:13 340088 ----a-r- c:\windows\system32\drivers\nav\1207010.003\symds.sys
2012-04-03 21:41:13 331384 ----a-w- c:\windows\system32\drivers\nav\1207010.003\symtdiv.sys
2012-04-03 21:41:13 299640 ----a-w- c:\windows\system32\drivers\nav\1207010.003\symnets.sys
2012-04-03 21:41:13 136312 ----a-r- c:\windows\system32\drivers\nav\1207010.003\ironx86.sys
2012-04-03 21:41:03 -------- d-----w- c:\windows\system32\drivers\nav\1207010.003
.
==================== Find3M ====================
.
2012-04-07 15:43:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-06 06:39:00 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-06 06:39:00 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-02 15:16:25 2044416 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 13:26:49.28 ===============






GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-19 14:22:59
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3250820AS rev.3.AAE
Running: hebigm53.exe; Driver: C:\Users\alvin\AppData\Local\Temp\pwlorpod.sys


---- System - GMER 1.0.15 ----

SSDT 866DF4E0 ZwAlertResumeThread
SSDT 866DF5C0 ZwAlertThread
SSDT 866DFDF0 ZwAllocateVirtualMemory
SSDT 8639ED28 ZwAlpcConnectPort
SSDT 867E2BE0 ZwAssignProcessToJobObject
SSDT 866DF230 ZwCreateMutant
SSDT 867E2900 ZwCreateSymbolicLinkObject
SSDT 86445348 ZwCreateThread
SSDT 867E2CC0 ZwDebugActiveProcess
SSDT 866DFF80 ZwDuplicateObject
SSDT 866DFC50 ZwFreeVirtualMemory
SSDT 866DF320 ZwImpersonateAnonymousToken
SSDT 866DF400 ZwImpersonateThread
SSDT 8639ECB0 ZwLoadDriver
SSDT 866DFB70 ZwMapViewOfSection
SSDT 866DF150 ZwOpenEvent
SSDT 86445230 ZwOpenProcess
SSDT 866DFEC0 ZwOpenProcessToken
SSDT 867E2EE8 ZwOpenSection
SSDT 86445160 ZwOpenThread
SSDT 867E2AF0 ZwProtectVirtualMemory
SSDT 866DF6A0 ZwResumeThread
SSDT 866DF920 ZwSetContextThread
SSDT 866DF9E0 ZwSetInformationProcess
SSDT 867E2DA0 ZwSetSystemInformation
SSDT 866DF0B0 ZwSuspendProcess
SSDT 866DF780 ZwSuspendThread
SSDT 86445428 ZwTerminateProcess
SSDT 866DF860 ZwTerminateThread
SSDT 866DFAB0 ZwUnmapViewOfSection
SSDT 866DFD20 ZwWriteVirtualMemory
SSDT 867E29F0 ZwCreateThreadEx

INT 0x51 ? 84A18BF8
INT 0x62 ? 85A88BF8
INT 0x72 ? 85A88BF8
INT 0x82 ? 85A88BF8
INT 0x82 ? 85A88BF8
INT 0x82 ? 85A88BF8
INT 0x92 ? 85A88BF8
INT 0xA2 ? 84A18BF8
INT 0xB2 ? 84A18BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81EBE8A0 8 Bytes [E0, F4, 6D, 86, C0, F5, 6D, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 81EBE8B4 4 Bytes [F0, FD, 6D, 86]
.text ntkrnlpa.exe!KeSetEvent + 13D 81EBE8C0 4 Bytes [28, ED, 39, 86]
.text ntkrnlpa.exe!KeSetEvent + 191 81EBE914 4 Bytes [E0, 2B, 7E, 86] {LOOPNZ 0x2d; JLE 0xffffffffffffff8a}
.text ntkrnlpa.exe!KeSetEvent + 1F5 81EBE978 4 Bytes [30, F2, 6D, 86]
.text ...
? System32\Drivers\spvj.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 87F5141B 5 Bytes JMP 85A881D8
? C:\Users\alvin\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806046D6] \SystemRoot\System32\Drivers\spvj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80604042] \SystemRoot\System32\Drivers\spvj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80604800] \SystemRoot\System32\Drivers\spvj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806040C0] \SystemRoot\System32\Drivers\spvj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8060413E] \SystemRoot\System32\Drivers\spvj.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [80613B90] \SystemRoot\System32\Drivers\spvj.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84A1D1F8
Device \FileSystem\fastfat \FatCdrom 86AAB1F8
Device \Driver\volmgr \Device\VolMgrControl 84A1A1F8
Device \Driver\usbohci \Device\USBPDO-0 85EB43E0
Device \Driver\usbohci \Device\USBPDO-1 85EB43E0
Device \Driver\usbohci \Device\USBPDO-2 85EB43E0
Device \Driver\usbohci \Device\USBPDO-3 85EB43E0
Device \Driver\USBSTOR \Device\00000060 863861F8
Device \Driver\USBSTOR \Device\00000061 863861F8
Device \Driver\usbohci \Device\USBPDO-4 85EB43E0

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\USBSTOR \Device\00000062 863861F8
Device \Driver\usbehci \Device\USBPDO-5 85E9D1F8
Device \Driver\volmgr \Device\HarddiskVolume1 84A1A1F8
Device \Driver\volmgr \Device\HarddiskVolume2 84A1A1F8
Device \Driver\cdrom \Device\CdRom0 85E8E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A1C1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 84A1C1F8
Device \Driver\atapi \Device\Ide\IdePort0 84A1C1F8
Device \Driver\atapi \Device\Ide\IdePort1 84A1C1F8
Device \Driver\atapi \Device\Ide\IdePort2 84A1C1F8
Device \Driver\atapi \Device\Ide\IdePort3 84A1C1F8
Device \Driver\volmgr \Device\HarddiskVolume3 84A1A1F8
Device \Driver\volmgr \Device\HarddiskVolume4 84A1A1F8
Device \Driver\USBSTOR \Device\00000067 863861F8
Device \Driver\volmgr \Device\HarddiskVolume5 84A1A1F8
Device \Driver\USBSTOR \Device\00000068 863861F8
Device \Driver\volmgr \Device\HarddiskVolume6 84A1A1F8
Device \Driver\USBSTOR \Device\00000069 863861F8
Device \Driver\volmgr \Device\HarddiskVolume7 84A1A1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 863B91F8
Device \Driver\Smb \Device\NetbiosSmb 863A81F8
Device \Driver\iScsiPrt \Device\RaidPort0 85EB31F8

AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\USBSTOR \Device\0000006a 863861F8
Device \Driver\usbohci \Device\USBFDO-0 85EB43E0
Device \Driver\usbohci \Device\USBFDO-1 85EB43E0
Device \Driver\usbohci \Device\USBFDO-2 85EB43E0
Device \Driver\usbohci \Device\USBFDO-3 85EB43E0
Device \Driver\usbohci \Device\USBFDO-4 85EB43E0
Device \Driver\usbehci \Device\USBFDO-5 85E9D1F8
Device \FileSystem\fastfat \Fat 86AAB1F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 875731F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE8 0x7D 0xB9 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE8 0x7D 0xB9 0xD3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

---- EOF - GMER 1.0.15 ----

Edited by Slayer90, 19 April 2012 - 05:15 PM.


BC AdBot (Login to Remove)

 


#2 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 19 April 2012 - 06:05 PM

Help. F secure isn't working. Is there an alternative?

Edited by Slayer90, 19 April 2012 - 06:10 PM.


#3 Slayer90

Slayer90
  • Topic Starter

  • Members
  • 216 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 21 April 2012 - 10:56 AM

It has been days.

Kaspersky Virus Removal tool. Seems to have discover the Trojan.Win32.Autoit.agv. I need help removing without having unstall my computer starting all over again.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:34 PM

Posted 23 April 2012 - 07:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Undetectable trojans? No such thing.

Kaspersky Virus Removal tool. Seems to have discover the Trojan.Win32.Autoit.agv


Did Kaspersky's tool not remove the trojan - it's a pretty low-risk one?


What I would like is a FRST scan please, the aswMBR scan run previously has an UNKNOWN element which could be a rootkit

Download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:34 PM

Posted 28 April 2012 - 06:14 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users