Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bifrose Winbooterr Trojan! Fast please


  • This topic is locked This topic is locked
28 replies to this topic

#1 Pajajn

Pajajn

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 14 September 2012 - 01:26 PM

All began suddenly (most likely from GTA and samp) torrent. I scanned with Malwarebytes and came out with this log attaching! I thought omfg so i scanned with Combofix and attached that to

Im using Wireless internet and after i couldn\t connect. OR it did connect but in 16mbps ..... when it usually stands 300mbps. Then my connection just dropped out which made me think that the infection is absolutely there left

Im logged into Administrator right now on Safemode with networking and working flawless here so please hurry i only got this computer right now

Regards

Attached Files



BC AdBot (Login to Remove)

 


#2 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 14 September 2012 - 02:38 PM

Malwarebytes Anti-Malware 1.65.0.1300
www.malwarebytes.org

Databasversion: v2012.09.14.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
sylvass :: Z01M1NIS-145172 [administratör]

2012-09-14 16:49:43
mbam-log-2012-09-14 (16-49-43).txt

Skanningstyp: Fullständig skanning (C:\|)
Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
Inaktiverade skanningsalternativ: P2P
Antal skannade objekt: 264279
Förfluten tid: 15 minut(er), 14 sekund(er)

Upptäckta minnesprocesser: 0
(Inga skadliga poster hittades)

Upptäckta minnesmoduler: 0
(Inga skadliga poster hittades)

Upptäckta registernycklar: 2
HKCR\CLSID\{87TX58CT-738X-0W0O-5TNA-Q23K32O70YQ0} (Trojan.Backdoor) -> Sattes i karantän och togs bort.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{87TX58CT-738X-0W0O-5TNA-Q23K32O70YQ0} (Trojan.Backdoor) -> Sattes i karantän och togs bort.

Upptäckta registervärden: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKLM (Trojan.Backdoor) -> Data: C:\WINDOWS\system32\Winbooterr\Svchost.exe -> Sattes i karantän och togs bort.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Policies (Trojan.Backdoor) -> Data: C:\WINDOWS\system32\Winbooterr\Svchost.exe -> Sattes i karantän och togs bort.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKCU (Trojan.Backdoor) -> Data: C:\WINDOWS\system32\Winbooterr\Svchost.exe -> Sattes i karantän och togs bort.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Policies (Trojan.Backdoor) -> Data: C:\WINDOWS\system32\Winbooterr\Svchost.exe -> Sattes i karantän och togs bort.

Upptäckta registerdataposter: 0
(Inga skadliga poster hittades)

Upptäckta mappar: 1
C:\WINDOWS\system32\Winbooterr (Trojan.Backdoor) -> Sattes i karantän och togs bort.

Upptäckta filer: 5
C:\Fraps\New Folder\itiyitiy\asd\hae\ltrat.exe (RiskWare.Tool.CK) -> Ingen åtgärd.
C:\Documents and Settings\sylvass\Application Data\logs.dat (Bifrose.Trace) -> Sattes i karantän och togs bort.
C:\Documents and Settings\sylvass\Local Settings\temp\UuU.uUu (Malware.Trace) -> Sattes i karantän och togs bort.
C:\Documents and Settings\sylvass\Local Settings\temp\XxX.xXx (Malware.Trace) -> Sattes i karantän och togs bort.
C:\WINDOWS\system32\Winbooterr\Svchost.exe (Trojan.Backdoor) -> Sattes i karantän och togs bort.

(klar)

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 15 September 2012 - 05:25 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from http://download.bleepingcomputer.com/sUBs/dds.com'>here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 17 September 2012 - 09:05 AM

By the way ESET disabled is not permanent. Just used 1 hour inactivation ^_^

Here is the DDS, also attached
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by sylvass at 15:33:31 on 2012-09-17
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.3327.2199 [GMT 2:00]
.
AV: ESET Smart Security 5.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personliga brandvägg *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Gamma\gapa.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\sylvass\My Documents\Hämtade filer\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.se/
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
uPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{247803CD-A1A1-4747-8288-625D24ABF37E} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sylvass\application data\mozilla\firefox\profiles\wazhtpt4.default-1344293744781\
FF - prefs.js: browser.startup.homepage - google.se
FF - plugin: c:\documents and settings\sylvass\application data\mozilla\plugins\NPSWF32.dll
FF - plugin: c:\program files\voiplay\npvoiplay.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-10-14 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-10-14 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-10-14 13616]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2012-3-7 913144]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2011-11-25 1174976]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2011-10-18 78136]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-4-27 64904]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-4-27 146568]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2011-10-18 181432]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-8-31 1691480]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-9-14 27424]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys --> c:\windows\system32\drivers\nvhda32.sys [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys --> c:\windows\system32\drivers\ss.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
.
=============== Created Last 30 ================
.
2012-09-17 11:14:21 991232 ----a-w- c:\windows\system32\xcSxatsPseLd32.dll
2012-09-16 13:22:43 -------- d-----w- c:\program files\XZONE REACTOR Application
2012-09-15 22:57:58 -------- d-----w- c:\program files\VOIPlay
2012-09-15 22:57:58 -------- d-----w- c:\documents and settings\all users\application data\VOIPlay
2012-09-15 20:51:37 -------- d-----w- c:\documents and settings\sylvass\application data\TeamViewer
2012-09-14 19:02:42 -------- d-----w- c:\documents and settings\sylvass\local settings\application data\ESET
2012-09-14 19:02:42 -------- d-----w- c:\documents and settings\sylvass\application data\ESET
2012-09-14 18:58:22 -------- d-----w- c:\program files\ESET
2012-09-14 18:14:22 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-09-14 18:13:50 -------- d-----w- c:\program files\HitmanPro
2012-09-14 15:26:13 -------- d-----w- c:\documents and settings\sylvass\application data\SUPERAntiSpyware.com
2012-09-14 15:25:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-14 15:25:47 -------- d-----w- c:\documents and settings\all users\application data\SUPERSetup
2012-09-13 11:20:09 -------- d-sha-r- C:\cmdcons
2012-09-09 19:58:10 -------- d-----w- c:\program files\Steam
2012-09-07 18:14:45 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-07 18:14:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-06 00:09:19 -------- d-----w- c:\documents and settings\sylvass\application data\To the Moon - Freebird Games
2012-09-06 00:08:55 -------- d-----w- c:\program files\Foxy Games
2012-09-06 00:08:55 -------- d-----w- C:\Downloads
2012-09-05 11:19:10 -------- d-----w- c:\program files\Diablo III
2012-08-31 07:51:18 -------- d-----w- c:\documents and settings\sylvass\application data\LolClient
2012-08-31 07:12:54 -------- d-----w- C:\Riot Games
2012-08-31 06:34:03 -------- d-----w- c:\windows\system32\RTCOM
2012-08-30 18:11:53 240608 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-08-30 18:10:45 240608 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-08-30 18:10:45 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-08-30 18:10:21 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2012-08-30 18:09:55 1462272 ----a-w- c:\windows\system32\nvapi.dll
2012-08-30 18:09:53 9624096 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-08-30 18:09:51 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2012-08-30 18:04:39 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2012-08-30 17:34:17 888424 ----a-r- c:\windows\system32\nvdispco32.dll
2012-08-30 17:34:17 813672 ----a-r- c:\windows\system32\nvgenco32.dll
2012-08-30 17:33:55 2293194 ----a-w- c:\windows\system32\nvdata.bin
2012-08-30 17:33:54 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2012-08-30 17:33:54 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-08-30 17:33:53 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2012-08-30 17:33:29 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2012-08-30 17:32:51 -------- d-----w- c:\program files\NVIDIA Corporation
2012-08-30 17:20:51 61440 ----a-w- c:\windows\system32\OpenCL.dll
2012-08-30 17:15:38 -------- d-----w- c:\windows\system32\dllcache
.
==================== Find3M ====================
.
2012-08-30 18:07:20 49408 ----a-w- c:\windows\system32\drivers\stream.sys
2012-08-30 18:07:18 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2012-08-30 18:07:16 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2012-08-30 18:07:16 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-08-30 18:07:16 141056 ----a-w- c:\windows\system32\drivers\ks.sys
2012-08-30 18:07:16 129536 ----a-w- c:\windows\system32\ksproxy.ax
2012-08-05 20:37:58 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-05 20:37:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 20:40:22 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2012-07-03 15:40:26 836496 ----a-w- c:\windows\system32\drivers\ESLWireACD.sys
.
============= FINISH: 15:33:47,43 ===============


Gmer log, also attached
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-17 16:04:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 SAMSUNG_HD103SJ rev.1AJ10001
Running: gmer.exe; Driver: C:\DOCUME~1\sylvass\LOCALS~1\Temp\ffwyypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xB24B64B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xB24B67F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xB24B6AB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xB24B65D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0xB24B68B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xB24B6350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xB24B6410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xB24B6570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xB24B6630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xB24B6530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xB24B64F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xB24B6670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0xB24B6870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xB24B63B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xB24B6430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xB24B6830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xB24B6370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xB24B6470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xB24B65F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [B0, 63, 4B, B2, 30, 64, 4B, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB504C3A0, 0x5CC319, 0xE8000020]
? C:\DOCUME~1\sylvass\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1540] USER32.dll!DefWindowProcA + 11A 7E42C298 7 Bytes JMP 105CD6C8 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1540] USER32.dll!SetWindowLongA + 19 7E42C2B6 7 Bytes JMP 105CD657 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1540] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10413F0F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1540] USER32.dll!GetMenuContextHelpId + 1A 7E465319 7 Bytes JMP 1041453A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1772] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 0120F3A0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 014473E8 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 014473C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] kernel32.dll!ValidateLocale + B138 7C844930 7 Bytes JMP 01213B48 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3080] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01447346 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- EOF - GMER 1.0.15 ----



By the way could you take a look on if there is any files aren't bound to anything (.sys) in my system at this moment i like it clean :)

Attached Files



#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 20 September 2012 - 07:37 AM

Hi there,



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


=========================================================================

If you decide to continue:



Are you able to connect to the Internet?





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 24 September 2012 - 11:01 AM

Hi there Blind Faith :inlove:

My decision is to continue of it's okay with you. I could install a 3rd party firewall (currently using ESET Smart) and set up a rule for checking program using their own NDIS protocols and such to monitor all internet traffic if :busy:

awaiting further instructions :clapping:

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 25 September 2012 - 11:58 AM

Hi there,



So the Internet connection functions normally?

==================================================================================================

IMPORTANT!: If you ran or want to run ComboFix on your own due to malware infection, please be aware that using it is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary.

Further, when issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.

If you ran or want to run ComboFix on your own just to see what it does or finds, please be aware that ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

=============================================================================================================================


Delete the already existing Combofix.exe on your system.



Please download ComboFix from one of these locations:
  • Bleepingcomputer
    ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.








Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 26 September 2012 - 07:27 AM

:blink: sorry for the late reply.. but here is the combofix log :thumbup2: please take a look

ComboFix 12-09-24.03 - sylvass 2012-09-25 21:27:15.9.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.3327.2349 [GMT 2:00]
Körs från: c:\documents and settings\sylvass\My Documents\Hämtade filer\ComboFix.exe
AV: ESET Smart Security 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personliga brandvägg *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV är aktivt
.
.
.
(((((((((((((((((((((((( Filer skapade från 2012-08-25 till 2012-09-25 ))))))))))))))))))))))))))))))
.
.
2012-09-25 12:58 . 2012-09-25 12:58 -------- d-----w- c:\documents and settings\sylvass\Local Settings\Application Data\Temp
2012-09-25 12:58 . 2012-09-25 12:58 -------- d-----w- c:\documents and settings\sylvass\Local Settings\Application Data\Adobe
2012-09-25 12:42 . 2012-09-25 12:42 -------- d-----w- c:\documents and settings\sylvass\Application Data\Personal
2012-09-19 17:13 . 2012-09-20 16:17 1015296 ----a-w- c:\windows\system32\xcSxatsPseLd32.dll
2012-09-17 17:43 . 2012-09-17 17:46 -------- d-----w- c:\program files\OpenVPN
2012-09-16 13:22 . 2012-09-20 16:44 -------- d-----w- c:\program files\XZONE REACTOR Application
2012-09-15 22:57 . 2012-09-19 13:11 -------- d-----w- c:\program files\VOIPlay
2012-09-15 22:57 . 2012-09-15 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\VOIPlay
2012-09-15 20:51 . 2012-09-15 20:54 -------- d-----w- c:\documents and settings\sylvass\Application Data\TeamViewer
2012-09-14 19:02 . 2012-09-14 19:02 -------- d-----w- c:\documents and settings\sylvass\Local Settings\Application Data\ESET
2012-09-14 19:02 . 2012-09-14 19:02 -------- d-----w- c:\documents and settings\sylvass\Application Data\ESET
2012-09-14 19:01 . 2012-09-14 19:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-09-14 18:58 . 2012-09-14 18:58 -------- d-----w- c:\program files\ESET
2012-09-14 18:58 . 2012-09-14 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-09-14 18:20 . 2012-09-14 18:20 -------- d-----w- c:\documents and settings\Administrator.Z01M1NIS-145172
2012-09-14 18:14 . 2012-09-14 18:14 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-09-14 18:13 . 2012-09-14 18:13 -------- d-----w- c:\program files\HitmanPro
2012-09-14 15:26 . 2012-09-14 15:26 -------- d-----w- c:\documents and settings\sylvass\Application Data\SUPERAntiSpyware.com
2012-09-14 15:25 . 2012-09-14 15:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-14 15:25 . 2012-09-14 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
2012-09-09 19:58 . 2012-09-25 17:14 -------- d-----w- c:\program files\Steam
2012-09-07 18:14 . 2012-09-07 18:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-07 18:14 . 2012-09-04 19:01 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-06 00:09 . 2012-09-06 00:12 -------- d-----w- c:\documents and settings\sylvass\Application Data\To the Moon - Freebird Games
2012-09-06 00:08 . 2012-09-06 00:08 -------- d-----w- c:\program files\Foxy Games
2012-09-06 00:08 . 2012-09-06 00:08 -------- d-----w- C:\Downloads
2012-09-05 11:19 . 2012-09-10 16:20 -------- d-----w- c:\program files\Diablo III
2012-08-31 07:51 . 2012-08-31 07:51 -------- d-----w- c:\documents and settings\sylvass\Application Data\LolClient
2012-08-31 07:12 . 2012-08-31 07:12 -------- d-----w- C:\Riot Games
2012-08-31 06:34 . 2012-08-31 06:34 -------- d-----w- c:\windows\system32\RTCOM
2012-08-30 18:11 . 2012-08-31 13:14 240608 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-08-30 18:10 . 2012-08-31 13:14 240608 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-08-30 18:10 . 2012-08-31 13:14 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-08-30 18:10 . 2010-10-19 07:58 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2012-08-30 18:09 . 2010-10-19 07:58 1462272 ----a-w- c:\windows\system32\nvapi.dll
2012-08-30 18:09 . 2010-10-19 07:58 9624096 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-08-30 18:09 . 2010-10-19 07:58 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2012-08-30 18:04 . 2012-08-30 18:06 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2012-08-30 17:34 . 2010-10-19 07:58 888424 ----a-r- c:\windows\system32\nvdispco32.dll
2012-08-30 17:34 . 2010-10-19 07:58 813672 ----a-r- c:\windows\system32\nvgenco32.dll
2012-08-30 17:33 . 2010-10-19 07:58 2293194 ----a-w- c:\windows\system32\nvdata.bin
2012-08-30 17:33 . 2010-10-19 07:58 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2012-08-30 17:33 . 2010-10-19 07:58 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-08-30 17:33 . 2010-10-19 07:58 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2012-08-30 17:33 . 2010-10-19 07:58 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2012-08-30 17:32 . 2012-08-31 06:27 -------- d-----w- c:\program files\NVIDIA Corporation
2012-08-30 17:20 . 2010-10-19 07:58 61440 ----a-w- c:\windows\system32\OpenCL.dll
2012-08-30 17:15 . 2012-09-13 11:01 -------- d-----w- c:\windows\system32\dllcache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-30 18:07 . 2008-04-13 22:15 49408 ----a-w- c:\windows\system32\drivers\stream.sys
2012-08-30 18:07 . 2011-10-29 03:57 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2012-08-30 18:07 . 2011-10-29 03:57 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2012-08-30 18:07 . 2011-10-29 03:57 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-08-30 18:07 . 2011-10-29 03:57 129536 ----a-w- c:\windows\system32\ksproxy.ax
2012-08-30 18:07 . 2008-04-13 22:46 141056 ----a-w- c:\windows\system32\drivers\ks.sys
2012-08-05 20:37 . 2012-08-05 20:37 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-05 20:37 . 2012-08-05 20:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 20:40 . 2011-10-14 18:06 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2012-07-03 15:40 . 2012-04-01 15:40 836496 ----a-w- c:\windows\system32\drivers\ESLWireACD.sys
2012-08-30 12:34 . 2012-08-30 12:34 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
<pre>
c:\program files\XZONE REACTOR Application\XZONE REACTOR Application .exe
</pre>
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-14 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2011-10-14 . E17798E1E6FF1CA9C67B8576570E05EE . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-18 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-18 13851752]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-03-07 3117344]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\sylvass\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1225\\Agent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1267\\Agent.exe"=
"c:\\Program Files\\Diablo III\\Diablo III.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\pajajn327\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\ferizn1337\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\karuchi1337\\counter-strike\\hl.exe"=
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-10-14 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-10-14 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-10-14 13616]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-03-14 120152]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2012-03-07 913144]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-04-27 64904]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-04-27 146568]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2011-11-25 1174976]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-08-31 1691480]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2011-10-18 78136]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-09-14 27424]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys --> c:\windows\system32\drivers\nvhda32.sys [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2011-10-18 181432]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [2012-07-11 116608]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-03-30 239336]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://google.se/
FF - ProfilePath - c:\documents and settings\sylvass\Application Data\Mozilla\Firefox\Profiles\wazhtpt4.default-1344293744781\
FF - prefs.js: browser.startup.homepage - google.se
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-90829255.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-25 21:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLL'er som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Sluttid: 2012-09-25 21:32:54 - datorn startades om.
ComboFix-quarantined-files.txt 2012-09-25 19:32
ComboFix2.txt 2012-09-14 16:46
ComboFix3.txt 2012-09-13 11:23
ComboFix4.txt 2012-07-26 17:38
ComboFix5.txt 2012-09-25 19:26
.
Före genomsökningen: 493 382 115 328 bytes free
Efter genomsökningen: 493 499 867 136 bytes free
.
- - End Of File - - 05F6B450E5E28AB8328921A83768882A

#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 27 September 2012 - 06:34 PM

Hi there,



Please go to the C:\Qoobox\ folder and copy/paste the contents of the ComboFix5.txt file. We would like to have a look at it.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 30 September 2012 - 10:32 AM

Sorry for the late reply.. i was not at home during fr, sat <_<

ComboFix 12-07-26.03 - sylvass 2012-07-25 22:13:34.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.3327.2776 [GMT 1:00]
Körs från: c:\documents and settings\sylvass\My Documents\Hämtade filer\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\XSxS
.
.
(((((((((((((((((((((((( Filer skapade från 2012-06-25 till 2012-07-25 ))))))))))))))))))))))))))))))
.
.
2012-07-23 04:10 . 2012-07-23 04:11 -------- d-----w- c:\documents and settings\sylvass\Application Data\Screaming Bee
2012-07-23 04:10 . 2012-07-23 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee
2012-07-23 04:04 . 2012-07-23 14:22 -------- d-----w- c:\program files\VS Revo Group
2012-07-23 03:59 . 2008-12-26 11:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2012-07-20 22:56 . 2012-07-20 22:56 -------- d-----w- c:\documents and settings\sylvass\temp
2012-07-19 19:57 . 2012-07-19 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2012-07-19 19:47 . 2012-07-19 19:47 -------- d-----w- c:\program files\Adobe Media Player
2012-07-19 19:40 . 2012-07-19 19:57 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-19 19:40 . 2012-07-19 19:57 -------- d-----w- c:\documents and settings\sylvass\Local Settings\Application Data\Adobe
2012-07-19 00:25 . 2012-07-19 19:59 -------- d-----w- c:\documents and settings\sylvass\Application Data\mIRC
2012-07-19 00:25 . 2012-07-19 16:24 -------- d-----w- c:\program files\mIRC
2012-07-18 00:25 . 2012-07-25 18:47 -------- d-----w- c:\program files\XZONE REACTOR Application
2012-07-13 00:27 . 2004-03-29 15:23 90112 ----a-w- c:\windows\unvise32.exe
2012-07-13 00:27 . 2012-07-13 00:27 -------- d-----w- c:\program files\Magic Bullet Looks Vegas
2012-07-13 00:21 . 2012-07-23 04:30 -------- d-----w- c:\documents and settings\sylvass\Application Data\Audacity
2012-07-08 01:41 . 2012-07-08 01:41 -------- d-----w- c:\documents and settings\sylvass\Local Settings\Application Data\Sony
2012-07-07 16:49 . 2012-07-07 18:34 -------- d-----w- c:\documents and settings\sylvass\Application Data\ImgBurn
2012-07-01 02:16 . 2012-07-14 14:02 -------- d-----w- c:\program files\OpenVPN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 20:40 . 2011-10-14 18:06 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2012-06-17 15:40 . 2012-06-17 15:40 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-17 15:40 . 2012-06-17 15:40 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-13 03:19 . 2012-06-17 13:55 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
<pre>
c:\program files\XZONE REACTOR Application\XZONE REACTOR Application .exe
</pre>
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-14 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2011-10-14 . E17798E1E6FF1CA9C67B8576570E05EE . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\sylvass\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\eqoj\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\pajajn327\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\lcob\\counter-strike\\hl.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57676:TCP"= 57676:TCP:Pando Media Booster
"57676:UDP"= 57676:UDP:Pando Media Booster
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-10-14 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-10-14 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-10-14 13616]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2011-11-25 1174976]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-04-27 64904]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-04-27 146568]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-12-09 119656]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-09-15 38248]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-10-29 1691480]
S3 ATP;Comodo Unite Miniport Driver;c:\windows\system32\DRIVERS\cmdatp.sys --> c:\windows\system32\DRIVERS\cmdatp.sys [?]
S3 BKNDIS5;BKNDIS5 NDIS Protocol Driver; [x]
S3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2006-09-28 247808]
S3 PROCEXP151;PROCEXP151; [x]
S3 RTCore32;RTCore32;c:\program files\MSI Afterburner\RTCore32.sys [2005-05-25 4608]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-07-01 34896]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2012-07-23 17792]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-03-30 239336]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://google.se/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\sylvass\Application Data\Mozilla\Firefox\Profiles\m745otmc.default\
FF - prefs.js: browser.startup.homepage - www.google.se
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-25 22:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLL'er som "laddats" under processer som körs ---------------------
.
- - - - - - - > 'explorer.exe'(1556)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Sluttid: 2012-07-25 22:19:05 - datorn startades om.
ComboFix-quarantined-files.txt 2012-07-25 21:19
.
Före genomsökningen: 338 432 913 408 bytes free
Efter genomsökningen: 338 548 252 672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 80723EFA3086E10B1E8B7009CBFDA110

#11 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 01 October 2012 - 04:51 AM

Btw what is this DLL :wacko:
xcSxatsPseLd32.dll

Googled and zero matches except this thread..

#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 01 October 2012 - 01:05 PM

Hi there,


You have not answered one of my previous questions:


After all, is the Internet connection working normally (please be more explicit) ? Knowing this detail may help us. :)




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 02 October 2012 - 01:01 PM

It's working like a charm so far :clapping:

What is this located in my system folder?
xcSxatsPseLd32.dll


#14 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:43 AM

Posted 04 October 2012 - 11:17 AM

Hi there,



Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.
=========================================================================================



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
c:\program files\XZONE REACTOR Application\XZONE REACTOR Application .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


==============================================================================================



Please visit the online Jotti Virus Scanner Posted Image<--link
  • Browse to the following filepath:

    c:\windows\system32\xcSxatsPseLd32.dll

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#15 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:04:43 PM

Posted 04 October 2012 - 02:06 PM

:thumbup2: :inlove:

On first point im using Utorrent 2.0.4 actually and never had any problems with it during the years and at several computers. XZone application comes from a "cheat" www.xzone-reactor.com where i know the admin Pavel. Cheat application is just a login system to protect the sourcecode cause the binary lies within his ftp server

Here is the Jotti report
http://virusscan.jotti.org/en/scanresult/e41d7479d3dffabc3a166ed837ce0a3f5d0f39ce
:blink:

Never seen that file before so just wondered. On other hands the PC is working like a charm regardless that its the old fashioned XP <_<




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users