Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM log shows some easy infections. Do I need to check out more?


  • This topic is locked This topic is locked
19 replies to this topic

#1 mogiebi

mogiebi

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 28 May 2012 - 10:57 AM

Hi!

I just got a mail from my bank that my BankID chip were disabled. (the little chip with a display that gives you a securitynumber for login to your bank via Internet). They said it was because that were information sent from my computer that may come from malware of some sort which tried to distort the information sent through the Java-plugin that the bank uses..

Anyways, I have only one Windows XP computer that I know of (cause they said it came from a Windows XP computer) that I have used with my bank login. I just ran a scan with MBAM. This is what I found.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Databaseversjon: v2012.05.28.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Therese sin :: THERESE [administrator]

28.05.2012 17:15:52
mbam-log-2012-05-28 (17-15-52).txt

Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 186088
Tid tilbakelagt: 11 minutt(er), 56 sekund(er)

Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)

Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)

Registernøkler oppdaget: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\qword.com (Adware.QWO) -> Satt i karantene og slettet vellykket.

Registerverdier oppdaget: 1
HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow|www.qword.com (Adware.QWO) -> Data: -> Satt i karantene og slettet vellykket.

Registerfiler oppdaget: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page (Hijack.Homepage) -> Dårlig: (http://www.qword.com/?s=1) God: (http://www.Google.com/) -> Satt i karantene og reparert vellykket.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Dårlig: (0) God: (1) -> Satt i karantene og reparert vellykket.

Mapper oppdaget: 0
(Ingen skadelige objekter funnet)

Filer oppdaget 1
C:\Documents and Settings\Therese sin\Favoritter\Qword Search Engine.url (Adware.QWO) -> Satt i karantene og slettet vellykket.

(klar)


Should I try scanning something else? Or is this good enough? I have Java 7,4 updated, windows updated and MSE security found nothing with a recent scan.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:27 AM

Posted 01 June 2012 - 06:59 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 mogiebi

mogiebi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 03 June 2012 - 01:36 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 10.4.1
Run by Therese sin at 18:57:20 on 2012-06-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.1014.224 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Programfiler\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programfiler\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programfiler\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programfiler\Microsoft Security Client\msseces.exe
C:\Programfiler\Fellesfiler\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Therese sin\Programdata\Spotify\Data\SpotifyWebHelper.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\THERES~1\LOKALE~1\Temp\RtkBtMnt.exe
C:\Programfiler\Google\Chrome\Application\chrome.exe
C:\Programfiler\Google\Chrome\Application\chrome.exe
C:\Programfiler\Google\Chrome\Application\chrome.exe
C:\Programfiler\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Therese sin\Programdata\Spotify\spotify.exe
C:\Programfiler\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.no/
uSearch Page = hxxp://www.Google.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&s=0&o=xph&d=0509&m=aspire_one
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&s=0&o=xph&d=0509&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0414&s=0&o=xph&d=0509&m=aspire_one
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programfiler\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programfiler\fellesfiler\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programfiler\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Spotify Web Helper] "c:\documents and settings\therese sin\programdata\spotify\data\SpotifyWebHelper.exe"
mRun: [IAAnotif] c:\programfiler\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\programfiler\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\programfiler\realtek\audio\drivers\AzMixerSel.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [MSC] "c:\programfiler\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\programfiler\fellesfiler\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\felles~1\micros~1\dw\dwtrig20.exe" -t
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send til &Bluetooth-enhet... - c:\programfiler\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send til Bluetooth - c:\programfiler\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\programfiler\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programfiler\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\programfiler\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: facebook.com\www
Trusted Zone: spotify.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{EA523D28-D576-4B05-937A-D523913EBD20} : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\felles~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]
R2 IAANTMON;Intel® Matrix Storage Event Monitor;c:\programfiler\intel\intel matrix storage manager\IAANTmon.exe [2009-1-17 354840]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S2 gupdate1ca09f5216d6d5c;Googles oppdateringstjeneste (gupdate1ca09f5216d6d5c);c:\programfiler\google\update\GoogleUpdate.exe [2009-7-21 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 257696]
S3 gupdatem;Google-oppdatering-tjenesten (gupdatem);c:\programfiler\google\update\GoogleUpdate.exe [2009-7-21 133104]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-1-17 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2012-06-03 09:17:23 6737808 ----a-w- c:\documents and settings\all users\programdata\microsoft\microsoft antimalware\definition updates\{ab8d3e28-5241-4d25-83f1-6d61d8fd2f18}\mpengine.dll
2012-06-01 22:20:38 6737808 ------w- c:\documents and settings\all users\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-28 15:13:55 -------- d-----w- c:\documents and settings\therese sin\programdata\Malwarebytes
2012-05-28 15:13:31 -------- d-----w- c:\documents and settings\all users\programdata\Malwarebytes
2012-05-28 15:13:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-28 15:13:27 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware
2012-05-10 20:20:05 -------- d-----w- c:\documents and settings\therese sin\.nets
2012-05-09 18:15:00 -------- d-----w- c:\documents and settings\therese sin\lokale innstillinger\programdata\Sun
2012-05-09 17:43:12 -------- d-----w- c:\programfiler\Oracle
2012-05-09 17:42:51 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
.
==================== Find3M ====================
.
2012-05-07 16:12:35 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-07 16:12:34 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:55:27 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 13:55:17 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:55:05 2150400 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-04 16:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 16:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-20 18:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 18:59:00,53 ===============







GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-03 20:35:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0303
Running: in2g1gvd.exe; Driver: C:\DOCUME~1\THERES~1\LOKALE~1\Temp\kxddipob.sys


---- Kernel code sections - GMER 1.0.15 ----

? aleb.sys Systemet finner ikke angitt fil. !
? C:\DOCUME~1\THERES~1\LOKALE~1\Temp\mbr.sys Systemet finner ikke angitt fil. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Therese sin\Programdata\Spotify\spotify.exe[1064] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\Documents and Settings\Therese sin\Programdata\Spotify\spotify.exe[1064] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 5 Bytes JMP 7C9225C8 C:\WINDOWS\system32\ntdll.dll (NT nivå-dll/Microsoft Corporation)
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Programfiler\Google\Chrome\Application\chrome.exe[3728] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 006C0010
IAT C:\Programfiler\Google\Chrome\Application\chrome.exe[3760] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 006B0010
IAT C:\Programfiler\Google\Chrome\Application\chrome.exe[4008] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:27 AM

Posted 03 June 2012 - 06:01 PM

The first thing I have to check is this.

I just got a mail from my bank that my BankID chip were disabled.


I find it slightly hard to believe a bank would email you this kind of warning. Are you sure this wasn't a phishing scam?
Posted Image
m0le is a proud member of UNITE

#5 mogiebi

mogiebi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 04 June 2012 - 12:59 AM

It was the bank. I called them afterwards. I got an SMS btw (not email) about that chip. Do you find anything suspicious on the logs?

#6 mogiebi

mogiebi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 04 June 2012 - 01:09 AM

Just to have it all clear.. Sorry, I got an SMS from the bank that my BankID chip were disabled. I called them afterwards and they told me about the XP computer they had traced some bad information from... :)

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:27 AM

Posted 04 June 2012 - 06:16 PM

Okay SMS is fine. Just had to check :)

The logs aren't showing anything but it's early days.

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#8 mogiebi

mogiebi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 05 June 2012 - 02:38 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-05 08:25:19
-----------------------------
08:25:19.250 OS Version: Windows 5.1.2600 Service Pack 3
08:25:19.250 Number of processors: 2 586 0x1C02
08:25:19.250 ComputerName: THERESE UserName:
08:25:20.828 Initialize success
08:39:52.421 AVAST engine defs: 12060500
08:40:14.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:40:14.515 Disk 0 Vendor: ST916031 0303 Size: 152627MB BusType: 3
08:40:14.546 Disk 0 MBR read successfully
08:40:14.546 Disk 0 MBR scan
08:40:14.734 Disk 0 unknown MBR code
08:40:14.734 Disk 0 Partition 1 00 12 Compaq diag NTFS 6149 MB offset 63
08:40:14.812 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 146476 MB offset 12595200
08:40:14.828 Disk 0 scanning sectors +312578048
08:40:15.000 Disk 0 scanning C:\WINDOWS\system32\drivers
08:40:43.750 Service scanning
08:41:29.781 Modules scanning
08:41:38.890 Disk 0 trace - called modules:
08:41:38.953 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
08:41:38.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86743ab8]
08:41:38.953 3 CLASSPNP.SYS[f7670fd7] -> nt!IofCallDriver -> \Device\0000008f[0x86771130]
08:41:38.968 5 ACPI.sys[f7567620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86776030]
08:41:40.250 AVAST engine scan C:\WINDOWS
08:42:05.562 AVAST engine scan C:\WINDOWS\system32
08:48:35.046 AVAST engine scan C:\WINDOWS\system32\drivers
08:49:07.906 AVAST engine scan C:\Documents and Settings\Therese sin
09:33:08.156 AVAST engine scan C:\Documents and Settings\All Users
09:34:33.781 Scan finished successfully
09:37:31.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Therese sin\Skrivebord\oppvask\MBR.dat"
09:37:31.953 The log file has been saved successfully to "C:\Documents and Settings\Therese sin\Skrivebord\oppvask\aswMBR.txt"

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:27 AM

Posted 05 June 2012 - 11:24 AM

Okay, rerun MBAM on Quick Scan and post the log

Then visit the link below and run SAS

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log after the MBAM log

Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:27 AM

Posted 10 June 2012 - 04:35 PM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#11 mogiebi

mogiebi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 12 June 2012 - 05:10 AM

Hi. I will have the computer in front of me in a couple of days. Will post a log then. Thanks!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:27 AM

Posted 12 June 2012 - 06:24 PM

Thanks for the update :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 mogiebi

mogiebi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 15 June 2012 - 02:41 PM

SAS nor MBAM found anything..


Edit: SAS found some cookies of course.. :P

Edited by mogiebi, 15 June 2012 - 02:42 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:27 AM

Posted 15 June 2012 - 07:30 PM

Yes, SAS always finds cookies.

Can you run an online scan

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#15 mogiebi

mogiebi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 18 June 2012 - 03:28 PM

C:\Documents and Settings\Therese sin\Mine dokumenter\Div prg updates\Photoshop CS2 Keygen.7z a variant of Win32/Keygen.CW application deleted - quarantined


The only thing it found. Think it's




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users