Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER scan, a lot of entries listed under Rootkit/Malware - I am infected?


  • This topic is locked This topic is locked
9 replies to this topic

#1 zappafrank

zappafrank

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 10 May 2012 - 03:59 AM

I've downloaded GMER and run a scan on one of my ws. A user complain that after he used it to check his Yahoo mail, his Yahoo account started to send spam with links to malicious site to all his contacts... I had Avira running on that PC it is updated with last definitions and complete system scan is run every day - no alerts or detections. I scanned the pc with Mbam also- nothing found. I decided to check with GMER for rootkits... And there are a lot of entries listed in GMER under Rootkit/Malware tab but scan finished without any warning of detection whatsoever. Also - no red lines... But I am still confused - is these listed under Rootkit/Malware detections or?

Please find attached GMER log file...

Thanks in advance for your help.

Attached File  gmer.log   7.71KB   23 downloads

Regards,

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:28 PM

Posted 13 May 2012 - 12:44 PM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 zappafrank

zappafrank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 14 May 2012 - 03:49 AM

Hello Elise!

Here it is:

dds.txt:

----


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 9:48:08 on 2012-05-14
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.502.249 [GMT 3:00]
.
.
============== Running Processes ===============
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\USBDLM\USBDLM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\charismathics\smart security interface 4.7\CSPregtool.exe
C:\Program Files\SetWeb\SetWeb.exe
C:\WINDOWS\system32\LFX6PUPO.exe
C:\WINDOWS\system32\dllhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Ztoolkit.Mainrun]
mRun: [RegTool] c:\program files\gemplus\gemsafe libraries\bin\RegTool.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smarts~1.lnk - c:\program files\charismathics\smart security interface 4.7\CSPregtool.exe
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: alphabank.bg\www
Trusted Zone: bulbank.bg\online
Trusted Zone: citicorp.com\citidirect-eb
Trusted Zone: citicorp.com\europe.citidirect-eb
Trusted Zone: ingonline.com\www
Trusted Zone: nra.bg\inetdec
Trusted Zone: nsi.bg\isbs
Trusted Zone: rbb.bg\online
DPF: {500A3316-5B0E-4253-BBE5-CE3F11A1AE71} - hxxps://inetdec.nra.bg/dds/InetVAT5Frm.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268663004921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268662990691
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {97EA2A5E-A821-48A1-B0F9-DEDB5E0E62A2} - hxxps://inetdec.nra.bg/cabs/SignCOM.cab
DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} - hxxps://www.ingonline.com/capi/capicom.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://g8way.tmf-group.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 208.67.220.220 208.67.222.222 212.39.90.42
TCP: Interfaces\{4A28A5BD-BFFC-4280-8111-D7EFB124C108} : DhcpNameServer = 208.67.220.220 208.67.222.222 212.39.90.42
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2010-3-16 17968]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-25 36000]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 lfxnt;lfxnt;c:\windows\system32\drivers\lfxnt.sys [2011-2-21 61820]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-25 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-25 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-25 83392]
R2 USBDLM;USBDLM;c:\program files\usbdlm\USBDLM.exe [2008-8-17 156160]
R3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2011-2-21 61840]
R3 LFXACT;Companion Suite Pro LL F@X activities;c:\windows\system32\drivers\LFXACT.sys [2011-2-21 20672]
R3 XMLDIUSB;XML USB Device Interface;c:\windows\system32\drivers\XMLDIUSB.sys [2011-2-21 31879]
S2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\frameworkservice.exe" /servicestart --> c:\program files\mcafee\common framework\FrameworkService.exe [?]
S3 A38CCID;CCID USB Smart Card Reader;c:\windows\system32\drivers\a38ccid.sys [2011-2-21 37888]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 257696]
S3 EEX;EEX;c:\docume~1\admini~1\locals~1\temp\EEX.exe [2012-5-10 568192]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-05-09 04:59:01 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-04 20:26:15 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 20:26:15 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 12:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 9:48:42.33 ===============

----
Attached File  attach.txt   11.2KB   5 downloads
Attached File  gmer.log   2.27KB   9 downloads

Thank you in advance for your time and help!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:28 PM

Posted 14 May 2012 - 07:12 AM

The GMER log is clean. Usually whan an account is used to spam it means the password was compromised. Resetting it should stop the spam.

Lets also run an additional scan to be sure.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 zappafrank

zappafrank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 15 May 2012 - 03:04 AM

Here it is. Thanks.
Attached File  ComboFix.txt   7.17KB   5 downloads

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:28 PM

Posted 15 May 2012 - 08:04 AM

Everything looks good so far, did you reset the password for the email account?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u3.
  • Look for "JDK 7u3 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 zappafrank

zappafrank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 16 May 2012 - 07:34 AM

Eset found nothing hence no log file... All Adobe products were updated. Java also. Is there anything else to be done?ou

Regarding the guy with compromised yahoo account - he changed his password and for now everything seems to be ok...

Edited by zappafrank, 16 May 2012 - 07:35 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:28 PM

Posted 16 May 2012 - 08:15 AM

Everything looks good. :thumbup2:

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:

    • Press windows key Posted Image + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.

      Posted Image
    • This will remove Combofix and other tools we used from your computer.
  • You can delete any other tool or log by simply deleting them.
Please read the following advice on how to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 zappafrank

zappafrank
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 16 May 2012 - 08:37 AM

Thank you very much for your time and advices!

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:28 PM

Posted 16 May 2012 - 09:34 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users