Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected W32/Patched.UB


  • This topic is locked This topic is locked
6 replies to this topic

#1 lackluster

lackluster

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 31 August 2012 - 12:39 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Hivemind at 12:57:16 on 2012-08-31
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2047.252 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Users\Hivemind\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Users\Hivemind\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Hivemind\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Hivemind\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [MusicManager] "c:\users\hivemind\appdata\local\programs\google\musicmanager\MusicManager.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\users\hivemind\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Spotify Web Helper] "c:\program files\spotify\data\SpotifyWebHelper.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware] "c:\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [wutltb] rundll32.exe ",ComputeStats
StartupFolder: c:\users\hivemind\appdata\roaming\micros~1\windows\startm~1\programs\startup\ctfmon.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\users\hivemind\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\hivemind\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{CCBA4A33-F56A-4A38-9D1B-DA7CCF501978} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\hivemind\appdata\roaming\mozilla\firefox\profiles\1mynp67b.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?shva=1#inbox|http://www.facebook.com/home.php?sk=lf|https://www.google.com/reader/view/?tab=my#stream/user%2F14165696305848183946%2Fstate%2Fcom.google%2Freading-list|http://www.wbur.org/media-player?title=Live%20Stream
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb31b34&v=6.103.018.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\hivemind\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\hivemind\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\hivemind\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: FiddlerHook: fiddlerhook@fiddler2.com - c:\program files\fiddler2\FiddlerHook
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
FF - Ext: AVG Security Toolbar em:version=6.103.018.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-8-23 65816]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-7 36000]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-15 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-8-23 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-8-23 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-7 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-7 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-7 83392]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2009-7-13 20992]
R2 MBAMService;MBAMService;c:\malwarebytes' anti-malware\mbamservice.exe [2012-8-31 655944]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-8-23 976728]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-12-7 1153368]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-14 22344]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-1 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-25 1343400]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 947528]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S4 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;d:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2012-08-31 16:44:20 -------- d-----w- C:\ComboFix
2012-08-31 16:41:23 331 ----a-w- C:\Start_.cmd
2012-08-24 00:29:32 -------- d-----w- c:\programdata\036DFF59DACFCB8CFC6F15BCF875EF7E
2012-08-24 00:29:28 -------- d-----w- c:\users\hivemind\appdata\local\{BD771006-ED82-11E1-8270-B8AC6F996F26}
2012-08-24 00:29:23 462848 ----a-w- c:\users\hivemind\appdata\roaming\sinat.dll
2012-08-23 20:20:08 65816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-08-15 03:17:16 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 03:17:13 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 03:17:11 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 03:17:11 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 03:17:07 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 03:17:07 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-15 03:17:06 769024 ----a-w- c:\windows\system32\localspl.dll
.
==================== Find3M ====================
.
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-07 00:59:42 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 21:42:34 8673792 ----a-w- c:\programdata\atscie.msi
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD15 rev.21.0 -> Harddisk1\DR1 -> \Device\0000006d
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor32.sys
c:\windows\system32\drivers\nvstor32.sys NVIDIA Corporation NVIDIA nForce™ SATA Driver
1 ntkrnlpa!IofCallDriver[0x82E5055A] -> \Device\Harddisk1\DR1[0x85F7D030]
3 CLASSPNP[0x8966259E] -> ntkrnlpa!IofCallDriver[0x82E5055A] -> [0x84E31E00]
5 ACPI[0x88EBA3D4] -> ntkrnlpa!IofCallDriver[0x82E5055A] -> \Device\0000006f[0x85DB3968]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
.
============= FINISH: 12:59:27.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:36 PM

Posted 31 August 2012 - 03:38 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 lackluster

lackluster
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 31 August 2012 - 03:56 PM

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 31-08-2012 01
Ran by SYSTEM at 31-08-2012 16:48:12
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe [x]
HKLM\...\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions [598016 2009-11-19] (Teleca Sweden AB)
HKLM\...\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe [2338656 2011-09-10] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [1778064 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1797008 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [x]
HKLM\...\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe [479232 2005-07-15] (Google Inc.)
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-08] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [1638400 2010-09-02] (Eastman Kodak Company)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [642856 2008-12-12] (Cisco Systems, Inc.)
HKLM\...\Run: [wutltb] rundll32.exe ",ComputeStats [x]
HKU\Hivemind\...\Run: [MusicManager] "C:\Users\Hivemind\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [7316480 2012-08-15] (Google Inc.)
HKU\Hivemind\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Hivemind\...\Run: [Google Update] "C:\Users\Hivemind\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-09-01] (Google Inc.)
HKU\Hivemind\...\Run: [Spotify Web Helper] "C:\Program Files\Spotify\Data\SpotifyWebHelper.exe" [1193176 2012-08-17] ()
HKU\Hivemind\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10y_ActiveX.exe -update activex [243360 2011-12-12] (Adobe Systems, Inc.)
HKU\Mcx1-HIVEMIND-PC\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [313344 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Hivemind\Start Menu\Programs\Startup\ctfmon.lnk
ShortcutTarget: ctfmon.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)
Startup: C:\Users\Hivemind\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

========================== Services (Whitelisted) ========================

2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-08] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-08] (Avira Operations GmbH & Co. KG)
4 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [947528 2011-03-18] ()
4 AVGIDSAgent; "C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [7390560 2011-08-17] (AVG Technologies CZ, s.r.o.)
4 avgwd; "C:\Program Files\AVG\AVG10\avgwdsvc.exe" [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [387616 2009-08-10] ()
2 iprip; C:\Windows\System32\iprip.dll [29696 2009-07-13] (Microsoft Corporation)
2 MBAMService; "C:\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
4 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 nmservice; "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" [642856 2008-12-12] (Cisco Systems, Inc.)
2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [178720 2009-08-10] ()
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
3 Secunia PSI Agent; "C:\Program Files\Secunia\PSI\PSIA.exe" --start-service [994360 2011-10-13] (Secunia)
2 Secunia Update Agent; "C:\Program Files\Secunia\PSI\sua.exe" --start-service [399416 2011-10-13] (Secunia)
4 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe [x]
3 rpcapd; "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" [x]

==================== Drivers (Whitelisted) ===================

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134480 2011-05-27] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-22] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24144 2011-02-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [21968 2011-02-10] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [248656 2011-01-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)
2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83392 2012-05-08] (Avira GmbH)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [297168 2011-04-04] (AVG Technologies CZ, s.r.o.)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137928 2012-05-08] (Avira GmbH)
1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2011-09-15] (Avira GmbH)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
3 NPF; C:\Windows\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21520 2010-07-21] (Microsoft Corporation)
2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24880 2008-12-12] (Cisco Systems, Inc.)
3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26416 2008-12-12] (Cisco Systems, Inc.)
1 RapportCerberus_42020; \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [228376 2012-08-14] ()
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
3 catchme; \??\C:\Users\Hivemind\AppData\Local\Temp\catchme.sys [x]

==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============

2012-08-31 16:47 - 2012-08-31 16:48 - 00000000 ____D C:\FRST
2012-08-31 12:39 - 2012-08-31 12:39 - 00902846 ____A (Farbar) C:\Users\Hivemind\Downloads\FRST.exe
2012-08-31 12:39 - 2012-08-31 12:39 - 00902846 ____A (Farbar) C:\Users\Hivemind\Desktop\FRST.exe
2012-08-31 09:38 - 2012-08-31 09:38 - 00053255 ____A C:\Users\Hivemind\Desktop\ark.txt
2012-08-31 09:08 - 2012-08-31 09:08 - 00050477 ____A C:\Users\Hivemind\Downloads\Defogger (2).exe
2012-08-31 09:08 - 2012-08-31 09:08 - 00050477 ____A C:\Users\Hivemind\Desktop\Defogger (2).exe
2012-08-31 09:03 - 2012-08-31 09:02 - 00302592 ____A C:\Users\Hivemind\Desktop\8yzoc6xn.exe
2012-08-31 09:02 - 2012-08-31 09:02 - 00302592 ____A C:\Users\Hivemind\Downloads\8yzoc6xn.exe
2012-08-31 09:01 - 2012-08-31 09:01 - 00302592 ____A C:\Users\Hivemind\Downloads\h5siz4f8.exe
2012-08-31 09:00 - 2012-08-31 09:00 - 00022343 ____A C:\Users\Hivemind\Desktop\DDS.txt
2012-08-31 09:00 - 2012-08-31 09:00 - 00009968 ____A C:\Users\Hivemind\Desktop\Attach.txt
2012-08-31 08:57 - 2012-08-31 08:57 - 00607260 ____R (Swearware) C:\Users\Hivemind\Downloads\dds.com
2012-08-31 08:45 - 2012-08-31 08:45 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Hivemind\Desktop\tdsskiller.exe
2012-08-31 08:44 - 2012-08-31 08:45 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Hivemind\Downloads\tdsskiller.exe
2012-08-31 08:44 - 2012-08-31 08:44 - 00000000 ____D C:\ComboFix
2012-08-31 08:43 - 2012-08-31 08:43 - 00000165 ____A C:\Users\Hivemind\Desktop\CF Script.txt
2012-08-31 08:41 - 2012-08-31 08:44 - 00000331 ____A C:\Start_.cmd
2012-08-31 08:37 - 2012-08-31 08:44 - 00000000 ___SD C:\32788R22FWJFW
2012-08-31 08:34 - 2012-08-31 08:35 - 01153912 ____A (Emsi Software GmbH) C:\Users\Hivemind\Downloads\BlitzBlank.exe
2012-08-31 08:29 - 2012-08-31 08:29 - 00050477 ____A C:\Users\Hivemind\Downloads\Defogger.exe
2012-08-31 08:29 - 2012-08-31 08:29 - 00050477 ____A C:\Users\Hivemind\Downloads\Defogger (1).exe
2012-08-31 08:17 - 2012-08-31 08:18 - 00079064 ____A C:\Users\Hivemind\Desktop\cc_new backup.reg
2012-08-31 07:57 - 2012-08-31 08:47 - 00000112 ____A C:\Windows\setupact.log
2012-08-31 07:57 - 2012-08-31 07:57 - 00000000 ____A C:\Windows\setuperr.log
2012-08-31 07:23 - 2012-08-31 07:23 - 04741772 ____R (Swearware) C:\Users\Hivemind\Desktop\ComboFix.exe
2012-08-24 03:04 - 2012-08-24 03:04 - 00000000 _RASH C:\MSDOS.SYS
2012-08-24 03:04 - 2012-08-24 03:04 - 00000000 _RASH C:\IO.SYS
2012-08-23 16:29 - 2012-08-23 16:29 - 00462848 ____A (Stardock Systems, Inc) C:\Users\Hivemind\AppData\Roaming\sinat.dll
2012-08-23 16:29 - 2012-08-23 16:29 - 00000000 ____D C:\Users\Hivemind\AppData\Local\{BD771006-ED82-11E1-8270-B8AC6F996F26}
2012-08-23 16:29 - 2012-08-23 16:29 - 00000000 ____D C:\Users\All Users\036DFF59DACFCB8CFC6F15BCF875EF7E
2012-08-23 12:20 - 2012-08-23 12:20 - 00065816 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
2012-08-17 04:19 - 2012-08-17 04:19 - 83023306 ___AT C:\Users\All Users\ism_0_llatsni.pad
2012-08-14 23:04 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-14 23:04 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-14 23:04 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-14 23:04 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-14 23:04 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-14 23:04 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-14 23:04 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-14 23:04 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-14 23:04 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-14 23:04 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-14 23:04 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-14 23:04 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-14 23:04 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-14 23:04 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-14 19:17 - 2012-07-18 09:47 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-14 19:17 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-14 19:17 - 2012-07-04 13:14 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-14 19:17 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-14 19:17 - 2012-05-13 20:33 - 00769024 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-14 19:17 - 2012-05-04 23:46 - 00400896 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-14 19:17 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-14 19:17 - 2012-02-10 21:37 - 00317440 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe

============ 3 Months Modified Files ========================

2012-08-31 12:45 - 2009-12-02 10:43 - 01357127 ____A C:\Windows\WindowsUpdate.log
2012-08-31 12:39 - 2012-08-31 12:39 - 00902846 ____A (Farbar) C:\Users\Hivemind\Downloads\FRST.exe
2012-08-31 12:39 - 2012-08-31 12:39 - 00902846 ____A (Farbar) C:\Users\Hivemind\Desktop\FRST.exe
2012-08-31 12:23 - 2010-09-01 13:24 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099448226-123921508-3403592340-1001UA.job
2012-08-31 09:38 - 2012-08-31 09:38 - 00053255 ____A C:\Users\Hivemind\Desktop\ark.txt
2012-08-31 09:08 - 2012-08-31 09:08 - 00050477 ____A C:\Users\Hivemind\Downloads\Defogger (2).exe
2012-08-31 09:08 - 2012-08-31 09:08 - 00050477 ____A C:\Users\Hivemind\Desktop\Defogger (2).exe
2012-08-31 09:02 - 2012-08-31 09:03 - 00302592 ____A C:\Users\Hivemind\Desktop\8yzoc6xn.exe
2012-08-31 09:02 - 2012-08-31 09:02 - 00302592 ____A C:\Users\Hivemind\Downloads\8yzoc6xn.exe
2012-08-31 09:01 - 2012-08-31 09:01 - 00302592 ____A C:\Users\Hivemind\Downloads\h5siz4f8.exe
2012-08-31 09:00 - 2012-08-31 09:00 - 00022343 ____A C:\Users\Hivemind\Desktop\DDS.txt
2012-08-31 09:00 - 2012-08-31 09:00 - 00009968 ____A C:\Users\Hivemind\Desktop\Attach.txt
2012-08-31 08:57 - 2012-08-31 08:57 - 00607260 ____R (Swearware) C:\Users\Hivemind\Downloads\dds.com
2012-08-31 08:56 - 2009-07-13 20:34 - 00013456 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-31 08:56 - 2009-07-13 20:34 - 00013456 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-31 08:47 - 2012-08-31 07:57 - 00000112 ____A C:\Windows\setupact.log
2012-08-31 08:47 - 2010-01-15 18:33 - 00000362 _RASH C:\Users\All Users\ntuser.pol
2012-08-31 08:47 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-31 08:45 - 2012-08-31 08:45 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Hivemind\Desktop\tdsskiller.exe
2012-08-31 08:45 - 2012-08-31 08:44 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Hivemind\Downloads\tdsskiller.exe
2012-08-31 08:44 - 2012-08-31 08:41 - 00000331 ____A C:\Start_.cmd
2012-08-31 08:43 - 2012-08-31 08:43 - 00000165 ____A C:\Users\Hivemind\Desktop\CF Script.txt
2012-08-31 08:40 - 2009-07-13 20:53 - 00032580 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-31 08:35 - 2012-08-31 08:34 - 01153912 ____A (Emsi Software GmbH) C:\Users\Hivemind\Downloads\BlitzBlank.exe
2012-08-31 08:29 - 2012-08-31 08:29 - 00050477 ____A C:\Users\Hivemind\Downloads\Defogger.exe
2012-08-31 08:29 - 2012-08-31 08:29 - 00050477 ____A C:\Users\Hivemind\Downloads\Defogger (1).exe
2012-08-31 08:18 - 2012-08-31 08:17 - 00079064 ____A C:\Users\Hivemind\Desktop\cc_new backup.reg
2012-08-31 07:57 - 2012-08-31 07:57 - 00000000 ____A C:\Windows\setuperr.log
2012-08-31 07:23 - 2012-08-31 07:23 - 04741772 ____R (Swearware) C:\Users\Hivemind\Desktop\ComboFix.exe
2012-08-31 07:02 - 2009-12-02 09:00 - 00760362 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-27 03:49 - 2010-09-01 13:23 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099448226-123921508-3403592340-1001Core.job
2012-08-26 12:14 - 2011-12-07 17:25 - 00002012 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-08-24 03:04 - 2012-08-24 03:04 - 00000000 _RASH C:\MSDOS.SYS
2012-08-24 03:04 - 2012-08-24 03:04 - 00000000 _RASH C:\IO.SYS
2012-08-23 16:29 - 2012-08-23 16:29 - 00462848 ____A (Stardock Systems, Inc) C:\Users\Hivemind\AppData\Roaming\sinat.dll
2012-08-23 12:20 - 2012-08-23 12:20 - 00065816 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
2012-08-17 04:19 - 2012-08-17 04:19 - 83023306 ___AT C:\Users\All Users\ism_0_llatsni.pad
2012-08-14 23:29 - 2009-07-13 20:33 - 01779360 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-14 23:10 - 2011-12-14 17:42 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-08-14 23:07 - 2009-12-06 20:19 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-18 09:47 - 2012-08-14 19:17 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 23:05 - 2009-07-13 18:04 - 00000513 ____A C:\Windows\win.ini
2012-07-04 13:53 - 2009-12-02 09:17 - 00116968 ____A C:\Users\Hivemind\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-04 13:50 - 2012-07-04 13:50 - 00012005 ____A C:\Users\Hivemind\Downloads\ff32759255ea83d2f4520fc2ffbef9c1b2cefed4.torrent
2012-07-04 13:16 - 2012-08-14 19:17 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 13:14 - 2012-08-14 19:17 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 13:14 - 2012-08-14 19:17 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-03 09:46 - 2010-09-14 07:17 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 16:52 - 2012-08-14 23:04 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 16:27 - 2012-08-14 23:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 16:16 - 2012-08-14 23:04 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 16:09 - 2012-08-14 23:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 16:09 - 2012-08-14 23:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 16:08 - 2012-08-14 23:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 16:07 - 2012-08-14 23:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 16:06 - 2012-08-14 23:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 16:04 - 2012-08-14 23:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 16:04 - 2012-08-14 23:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 16:01 - 2012-08-14 23:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 16:01 - 2012-08-14 23:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 16:00 - 2012-08-14 23:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 15:57 - 2012-08-14 23:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-08 20:41 - 2012-07-10 21:24 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-06 16:59 - 2012-06-06 16:59 - 01070152 ____A (Microsoft Corporation) C:\Windows\System32\MSCOMCTL.OCX
2012-06-06 10:11 - 2011-07-20 13:32 - 00001029 ____A C:\Users\Hivemind\Desktop\Dropbox.lnk
2012-06-05 21:05 - 2012-07-10 21:24 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-10 21:24 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-10 21:25 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

ZeroAccess:
C:\Windows\Installer\{ae3ed72a-28e0-87fd-c005-02e07890bfec}
C:\Windows\Installer\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\L
C:\Windows\Installer\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\U
C:\Windows\Installer\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\U\00000001.@
C:\Windows\Installer\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\U\80000000.@
C:\Windows\Installer\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\U\800000cb.@

ZeroAccess:
C:\Users\Hivemind\AppData\Local\{ae3ed72a-28e0-87fd-c005-02e07890bfec}
C:\Users\Hivemind\AppData\Local\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\@
C:\Users\Hivemind\AppData\Local\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\L
C:\Users\Hivemind\AppData\Local\{ae3ed72a-28e0-87fd-c005-02e07890bfec}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-31 11:17:20

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 2046.55 MB
Available physical RAM: 1604.63 MB
Total Pagefile: 2046.55 MB
Available Pagefile: 1611.01 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.7 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:139.73 GB) (Free:48.66 GB) NTFS
2 Drive e: (IPITP_63) (CDROM) (Total:0.29 GB) (Free:0 GB) CDFS
3 Drive f: (WD SmartWare) (CDROM) (Total:0.63 GB) (Free:0 GB) UDF
4 Drive g: (My Book) (Fixed) (Total:465.11 GB) (Free:0 GB) NTFS
5 Drive h: () (Removable) (Total:3.73 GB) (Free:3.64 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: () (Fixed) (Total:232.88 GB) (Free:175.55 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 139 GB 0 B
Disk 2 Online 465 GB 0 B
Disk 3 Online 3819 MB 0 B
Disk 4 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 1024 KB
Partition 2 Primary 1200 KB 232 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y NTFS Partition 232 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 139 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 139 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 1024 KB

==================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G My Book NTFS Partition 465 GB Healthy

==================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

==================================================================================

Disk: 3
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 3818 MB Healthy

==================================================================================

Last Boot: 2012-08-31 11:09

==================== End Of Log =============================

Farbar Recovery Scan Tool Version: 31-08-2012 01
Ran by SYSTEM at 2012-08-31 16:51:12
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

C:\Windows\ERDNT\cache\services.exe
[2011-12-07 16:06] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:36 PM

Posted 31 August 2012 - 04:33 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [wutltb] rundll32.exe ",ComputeStats [x]
2012-08-23 16:29 - 2012-08-23 16:29 - 00462848 ____A (Stardock Systems, Inc) C:\Users\Hivemind\AppData\Roaming\sinat.dll
2012-08-23 16:29 - 2012-08-23 16:29 - 00000000 ____D C:\Users\Hivemind\AppData\Local\{BD771006-ED82-11E1-8270-B8AC6F996F26}
2012-08-23 16:29 - 2012-08-23 16:29 - 00000000 ____D C:\Users\All Users\036DFF59DACFCB8CFC6F15BCF875EF7E
C:\Windows\Installer\{ae3ed72a-28e0-87fd-c005-02e07890bfec}
C:\Users\Hivemind\AppData\Local\{ae3ed72a-28e0-87fd-c005-02e07890bfec}
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 lackluster

lackluster
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 02 September 2012 - 11:32 AM

The file is too big to upload and too long to post. Would you prefer I split it up and try multiple posts?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:36 PM

Posted 02 September 2012 - 01:07 PM

are you talking about the ComboFix log? is it the "snapshot" section? if so, that can be removed, just post the rest of it

if not, zip it up and attach it

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:36 PM

Posted 10 September 2012 - 06:28 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users