Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with sofware need to reinstall after few hours


  • This topic is locked This topic is locked
13 replies to this topic

#1 Nikuyu

Nikuyu

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 16 November 2012 - 02:17 PM

Mod Edit: AII Topic http://www.bleepingcomputer.com/forums/topic475383.html/page__pid__2897108#entry2897108

DDS

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.7600.16385
Run by arif at 3:11:30 on 2012-11-17
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1598 [GMT 8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Windows\system32\taskhost.exe
C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uProxyOverride = local
mWinlogon: Userinit = c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [GarenaPlus] "c:\program files\garena plus\GarenaMessenger.exe" -autolaunch
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
StartupFolder: c:\users\arif\appdata\roaming\micros~1\windows\startm~1\programs\startup\facebo~1.lnk - c:\users\arif\appdata\local\facebook\messenger\2.1.4651.0\FacebookMessenger.exe
StartupFolder: c:\users\arif\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoAutorun = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{6E4F36D9-E6DA-4C74-9009-B450F4D878E1} : DHCPNameServer = 122.255.99.236 122.255.99.228
TCP: Interfaces\{A1FFD412-EE65-4C93-80C2-421DB8ECD636} : DHCPNameServer = 203.82.64.129 203.82.64.145
TCP: Interfaces\{D9856281-CA38-46AF-8BEA-1919FE4A8500} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{D9856281-CA38-46AF-8BEA-1919FE4A8500}\8416070797A5F6E656 : DHCPNameServer = 10.128.128.128
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\arif\downloads\compressed\emsisoftemergencykit\run\a2ddax86.sys [2012-11-11 17904]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-7-4 217088]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-7-4 291840]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\autodesk\content service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2012-5-2 96056]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-11-4 14336]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-10-5 37944]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-11-11 72832]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-6-11 50688]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Mobile Partner. RunOuc;Mobile Partner. OUC;c:\program files\mobile partner\updatedog\ouc.exe [2012-11-11 203776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2011-9-27 89160]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-11-11 102784]
S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\drivers\ew_usbenumfilter.sys [2012-11-11 11136]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2012-11-11 208896]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-11-12 7680]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Remote Solver for Flow Simulation 2012;Remote Solver for Flow Simulation 2012;c:\program files\solidworks corp\solidworks flow simulation\bincfw\StandAloneSlv.exe [2011-8-17 90168]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2012-10-5 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2012-10-5 104960]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2012-11-16 16:01:50 56320 ----a-w- c:\windows\system32\SearchFilterHostSrv.exe
2012-11-16 15:01:54 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-16 15:01:52 -------- d-----w- c:\users\arif\appdata\local\temp
2012-11-16 03:18:05 -------- d-----w- c:\users\arif\DoctorWeb
2012-11-16 02:29:25 -------- d-----w- c:\windows\ERUNT
2012-11-16 02:29:16 -------- d-----w- C:\JRT
2012-11-16 01:49:34 -------- d-----w- c:\program files\SpywareBlaster
2012-11-15 13:29:32 -------- d-----w- c:\users\arif\appdata\local\ElevatedDiagnostics
2012-11-15 13:16:01 -------- d-----w- c:\program files\CCleaner
2012-11-11 11:24:59 82816 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2012-11-11 11:24:59 72832 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2012-11-11 11:24:59 51712 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2012-11-11 11:24:59 27008 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2012-11-11 11:24:59 19456 ----a-w- c:\windows\system32\drivers\ew_hwupgrade.sys
2012-11-11 11:24:59 168960 ----a-w- c:\windows\system32\drivers\ew_juwwanecm.sys
2012-11-11 11:24:50 860928 ----a-w- c:\windows\system32\drivers\mod7700.sys
2012-11-11 11:24:50 27136 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2012-11-11 11:24:50 208896 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2012-11-11 11:24:50 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2012-11-11 11:24:50 106880 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2012-11-11 11:24:37 102784 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2012-11-11 11:23:56 -------- d-----w- c:\program files\Mobile Partner
2012-11-10 20:43:26 3469308 ----a-w- c:\windows\system32\GameMon.des
2012-11-10 20:36:18 -------- d-----w- c:\program files\common files\INCA Shared
2012-11-10 20:05:18 4682 ----a-w- c:\windows\system32\npptNT2.sys
2012-11-10 20:05:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2012-11-10 16:55:25 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-11-10 16:51:25 -------- d-----w- c:\windows\system32\directx
2012-11-05 05:29:40 -------- d-----w- c:\program files\common files\Labcenter Electronics
2012-11-03 13:50:57 -------- d-----w- c:\program files\Celcom Broadband Manager
2012-11-03 00:53:48 -------- d-----w- c:\users\arif\appdata\local\Facebook
2012-10-29 14:17:48 -------- d-----w- c:\users\arif\appdata\roaming\EDrawings
2012-10-26 10:00:33 -------- d-----w- c:\program files\common files\Steam
2012-10-26 10:00:31 -------- d-----w- c:\program files\Steam
2012-10-26 08:03:21 -------- d-----w- c:\users\arif\appdata\roaming\GarenaPlus
2012-10-26 07:55:15 -------- d-----w- c:\program files\Garena Plus
2012-10-26 07:55:04 -------- d-----w- c:\program files\GarenaHoN
2012-10-26 07:55:01 -------- d-----w- c:\programdata\GarenaMessenger
2012-10-24 23:36:15 200704 ----a-w- c:\windows\PLFSetI.exe
2012-10-24 23:36:15 -------- d-----w- c:\program files\Acer
2012-10-24 23:36:14 106496 ----a-w- c:\windows\FixUVC.exe
2012-10-24 06:47:37 -------- d-----w- c:\users\arif\appdata\local\Garena
2012-10-24 03:26:17 -------- d-----w- c:\users\arif\appdata\local\Dassault_Systèmes_SolidWo
2012-10-24 03:25:42 -------- d-----w- c:\users\arif\appdata\roaming\CircuitWorks
2012-10-23 17:26:37 -------- d-----w- c:\users\arif\appdata\local\tempSWBackupDirectory
2012-10-23 17:26:02 -------- d-----w- c:\users\arif\appdata\local\SolidWorks
2012-10-23 17:23:08 -------- d-----w- c:\programdata\SolidWorks Flow Simulation
2012-10-23 17:20:49 -------- d-----w- c:\users\arif\appdata\roaming\DassaultSystemes
2012-10-23 17:20:49 -------- d-----w- c:\users\arif\appdata\local\DassaultSystemes
2012-10-23 17:20:49 -------- d-----w- c:\programdata\DassaultSystemes
2012-10-23 17:12:18 -------- d-----w- c:\programdata\SolidWorks
2012-10-23 17:12:18 -------- d-----w- c:\program files\SolidWorks Corp
2012-10-23 17:12:18 -------- d-----w- c:\program files\NVIDIA Corporation
2012-10-23 17:09:03 -------- d-----w- c:\program files\MSECache
2012-10-23 17:08:34 -------- d-----w- c:\program files\common files\SolidWorks Shared
2012-10-23 17:08:23 -------- d-----w- C:\SolidWorks Data
2012-10-23 17:07:43 -------- d-----w- c:\program files\common files\SolidWorks Installation Manager
2012-10-23 17:04:56 -------- d-----w- c:\windows\SolidWorks
2012-10-23 17:04:52 -------- d-----w- c:\users\arif\appdata\roaming\SolidWorks
2012-10-23 13:34:57 -------- d-----w- c:\users\arif\appdata\roaming\2K Sports
2012-10-22 14:44:49 -------- d-----w- c:\program files\2K Sports
2012-10-22 13:27:51 -------- d-----w- c:\windows\pss
2012-10-21 06:03:18 -------- d-----w- c:\windows\system32\appmgmt
2012-10-19 17:16:43 -------- d-----w- c:\windows\AutoKMS
2012-10-19 15:57:27 -------- d-----w- c:\programdata\KONAMI
2012-10-19 13:11:59 -------- d-----w- c:\program files\The KMPlayer
2012-10-18 14:27:22 -------- d-----w- c:\program files\DC-Unlocker
.
==================== Find3M ====================
.
2012-11-16 15:31:47 151552 ----a-w- c:\windows\KMSEmulator.exe
2012-11-11 11:24:01 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-11-11 11:24:01 1461992 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01009.dll
2012-10-04 22:44:32 0 ----a-w- c:\windows\ativpsrm.bin
2012-10-04 20:37:11 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-04 20:37:11 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 09:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 3:11:47.62 ===============




combofix
ComboFix 12-11-15.01 - arif 11/16/2012 22:54:25.3.2 - x86 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1814 [GMT 8:00]
Running from: c:\users\arif\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\system32\DEBUG.log
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-10-16 to 2012-11-16 )))))))))))))))))))))))))))))))
.
.
2012-11-16 15:00 . 2012-11-16 15:00 -------- d-----w- c:\users\arif\AppData\Local\temp
2012-11-16 15:00 . 2012-11-16 15:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-11-16 15:00 . 2012-11-16 15:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-16 03:18 . 2012-11-16 03:42 -------- d-----w- c:\users\arif\DoctorWeb
2012-11-16 02:29 . 2012-11-16 02:29 -------- d-----w- c:\windows\ERUNT
2012-11-16 02:29 . 2012-11-16 02:29 -------- d-----w- C:\JRT
2012-11-16 01:49 . 2012-11-16 02:33 -------- d-----w- c:\program files\SpywareBlaster
2012-11-15 13:29 . 2012-11-15 13:29 -------- d-----w- c:\users\arif\AppData\Local\ElevatedDiagnostics
2012-11-15 13:16 . 2012-11-15 13:16 -------- d-----w- c:\program files\CCleaner
2012-11-11 11:24 . 2012-11-11 11:24 82816 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2012-11-11 11:24 . 2012-11-11 11:24 72832 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2012-11-11 11:24 . 2012-11-11 11:24 51712 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2012-11-11 11:24 . 2012-11-11 11:24 27008 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2012-11-11 11:24 . 2012-11-11 11:24 19456 ----a-w- c:\windows\system32\drivers\ew_hwupgrade.sys
2012-11-11 11:24 . 2012-11-11 11:24 168960 ----a-w- c:\windows\system32\drivers\ew_juwwanecm.sys
2012-11-11 11:24 . 2012-11-11 11:24 860928 ----a-w- c:\windows\system32\drivers\mod7700.sys
2012-11-11 11:24 . 2012-11-11 11:24 208896 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2012-11-11 11:24 . 2012-11-11 11:24 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2012-11-11 11:24 . 2012-11-11 11:24 27136 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2012-11-11 11:24 . 2012-11-11 11:24 106880 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2012-11-11 11:24 . 2012-11-11 11:24 102784 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2012-11-11 11:23 . 2012-11-11 11:25 -------- d-----w- c:\program files\Mobile Partner
2012-11-10 20:43 . 2010-03-10 17:24 3469308 ----a-w- c:\windows\system32\GameMon.des
2012-11-10 20:36 . 2012-11-10 20:36 -------- d-----w- c:\program files\Common Files\INCA Shared
2012-11-10 20:05 . 2004-12-29 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2012-11-10 20:05 . 2003-07-14 09:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2012-11-10 16:55 . 2008-10-09 20:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-11-05 05:29 . 2012-11-05 05:30 -------- d-----w- c:\program files\Common Files\Labcenter Electronics
2012-11-03 13:50 . 2012-11-03 13:51 -------- d-----w- c:\program files\Celcom Broadband Manager
2012-11-03 00:53 . 2012-11-03 00:59 -------- d-----w- c:\users\arif\AppData\Local\Facebook
2012-10-29 14:17 . 2012-10-29 14:17 -------- d-----w- c:\users\arif\AppData\Roaming\EDrawings
2012-10-26 10:00 . 2012-10-26 10:24 -------- d-----w- c:\program files\Common Files\Steam
2012-10-26 10:00 . 2012-11-15 13:16 -------- d-----w- c:\program files\Steam
2012-10-26 08:03 . 2012-11-14 12:03 -------- d-----w- c:\users\arif\AppData\Roaming\GarenaPlus
2012-10-26 07:55 . 2012-11-10 20:27 -------- d-----w- c:\program files\Garena Plus
2012-10-26 07:55 . 2012-11-11 12:28 -------- d-----w- c:\program files\GarenaHoN
2012-10-26 07:55 . 2012-11-14 12:03 -------- d-----w- c:\programdata\GarenaMessenger
2012-10-24 23:36 . 2012-10-24 23:36 -------- d-----w- c:\program files\Acer
2012-10-24 23:36 . 2012-10-24 23:35 200704 ----a-w- c:\windows\PLFSetI.exe
2012-10-24 23:36 . 2008-09-09 11:02 106496 ----a-w- c:\windows\FixUVC.exe
2012-10-24 06:47 . 2012-10-24 06:47 -------- d-----w- c:\users\arif\AppData\Local\Garena
2012-10-24 03:26 . 2012-10-24 03:26 -------- d-----w- c:\users\arif\AppData\Local\Dassault_Systèmes_SolidWo
2012-10-24 03:25 . 2012-10-24 03:25 -------- d-----w- c:\users\arif\AppData\Roaming\CircuitWorks
2012-10-23 17:26 . 2012-10-23 17:26 -------- d-----w- c:\users\arif\AppData\Local\SolidWorks
2012-10-23 17:23 . 2012-10-23 17:23 -------- d-----w- c:\programdata\SolidWorks Flow Simulation
2012-10-23 17:20 . 2012-10-29 14:17 -------- d-----w- c:\programdata\DassaultSystemes
2012-10-23 17:20 . 2012-10-23 17:20 -------- d-----w- c:\users\arif\AppData\Roaming\DassaultSystemes
2012-10-23 17:20 . 2012-10-23 17:20 -------- d-----w- c:\users\arif\AppData\Local\DassaultSystemes
2012-10-23 17:12 . 2012-10-23 17:23 -------- d-----w- c:\program files\SolidWorks Corp
2012-10-23 17:12 . 2012-10-23 17:12 -------- d-----w- c:\programdata\SolidWorks
2012-10-23 17:12 . 2012-10-23 17:12 -------- d-----w- c:\program files\NVIDIA Corporation
2012-10-23 17:09 . 2012-10-23 17:09 -------- d-----w- c:\program files\MSECache
2012-10-23 17:08 . 2012-10-23 17:22 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2012-10-23 17:08 . 2012-10-23 17:17 -------- d-----w- C:\SolidWorks Data
2012-10-23 17:07 . 2012-10-23 17:08 -------- d-----w- c:\program files\Common Files\SolidWorks Installation Manager
2012-10-23 17:04 . 2012-10-23 17:08 -------- d-----w- c:\windows\SolidWorks
2012-10-23 17:04 . 2012-11-02 11:52 -------- d-----w- c:\users\arif\AppData\Roaming\SolidWorks
2012-10-23 13:34 . 2012-10-23 13:34 -------- d-----w- c:\users\arif\AppData\Roaming\2K Sports
2012-10-22 14:44 . 2012-10-22 14:44 -------- d-----w- c:\program files\2K Sports
2012-10-19 17:16 . 2012-10-20 08:38 -------- d-----w- c:\windows\AutoKMS
2012-10-19 15:57 . 2012-10-19 16:03 -------- d-----w- c:\programdata\KONAMI
2012-10-19 13:11 . 2012-11-15 13:28 -------- d-----w- c:\program files\The KMPlayer
2012-10-18 14:27 . 2012-10-18 14:27 -------- d-----w- c:\program files\DC-Unlocker
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-16 04:35 . 2012-10-04 09:09 151552 ----a-w- c:\windows\KMSEmulator.exe
2012-11-11 11:24 . 2012-10-04 20:16 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-11-11 11:24 . 2012-10-04 20:16 1461992 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01009.dll
2012-10-10 19:08 . 2012-10-10 19:03 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-10-04 20:37 . 2012-10-04 20:37 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-04 20:37 . 2012-10-04 20:37 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-18 16:59 . 2012-10-04 12:20 6980552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8EF47CC5-20ED-4EB3-971F-BED3361AF2D6}\mpengine.dll
2012-09-07 09:04 . 2012-10-11 14:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-04 3487128]
"GarenaPlus"="c:\program files\Garena Plus\GarenaMessenger.exe" [2012-11-07 8790904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-03 641704]
.
c:\users\arif\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\arif\AppData\Local\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe [2012-9-25 247728]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SolidWorks Background Downloader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks Background Downloader.lnk
backup=c:\windows\pss\SolidWorks Background Downloader.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^arif^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\arif\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 06:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2012-10-04 16:21 3487128 ----a-w- c:\program files\Internet Download Manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2008-11-04 03:40 2087424 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2012-10-24 23:35 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-10-26 10:00 1353080 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Facebook Update"="c:\users\arif\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\arif\Downloads\Compressed\EmsisoftEmergencyKit\Run\a2ddax86.sys [x]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
R2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
R2 Mobile Partner. RunOuc;Mobile Partner. OUC;c:\program files\Mobile Partner\UpdateDog\ouc.exe [x]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 Remote Solver for Flow Simulation 2012;Remote Solver for Flow Simulation 2012;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [x]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [x]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-16 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-10-19 17:16]
.
2012-11-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3185159435-4133482620-319130613-1000Core.job
- c:\users\arif\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-11-03 00:53]
.
2012-11-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3185159435-4133482620-319130613-1000UA.job
- c:\users\arif\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-11-03 00:53]
.
2012-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-04 20:37]
.
2012-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-04 20:37]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-11-16 23:01:50
ComboFix-quarantined-files.txt 2012-11-16 15:01
ComboFix2.txt 2012-11-10 21:08
ComboFix3.txt 2012-10-11 14:59
.
Pre-Run: 1,031,929,856 bytes free
Post-Run: 919,429,120 bytes free
.
- - End Of File - - 875C8D0B5F78674B5236DCC9E2941FF4

Edited by boopme, 16 November 2012 - 05:09 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 AM

Posted 19 November 2012 - 02:31 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from http://download.bleepingcomputer.com/sUBs/dds.com'>here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Nikuyu

Nikuyu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 20 November 2012 - 08:06 AM

THX For reply. i maybe slowly reply on because at my place hard to get an intenet connection.

DDS LOGS.

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.7600.16385
Run by arif at 20:56:27 on 2012-11-20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1481 [GMT 8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Windows\system32\taskhost.exe
C:\ProgramData\DatacardService\DCService.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uProxyOverride = local
mWinlogon: Userinit = c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe,c:\programdata\datacardservice\datacard_setupsrv.exe
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [GarenaPlus] "c:\program files\garena plus\GarenaMessenger.exe" -autolaunch
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
StartupFolder: c:\users\arif\appdata\roaming\micros~1\windows\startm~1\programs\startup\facebo~1.lnk - c:\users\arif\appdata\local\facebook\messenger\2.1.4651.0\FacebookMessenger.exe
StartupFolder: c:\users\arif\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoAutorun = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{6E4F36D9-E6DA-4C74-9009-B450F4D878E1} : DHCPNameServer = 122.255.99.236 122.255.99.228
TCP: Interfaces\{A1FFD412-EE65-4C93-80C2-421DB8ECD636} : DHCPNameServer = 203.82.64.129 203.82.64.145
TCP: Interfaces\{D9856281-CA38-46AF-8BEA-1919FE4A8500} : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{D9856281-CA38-46AF-8BEA-1919FE4A8500}\8416070797A5F6E656 : DHCPNameServer = 10.128.128.128
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\arif\downloads\compressed\emsisoftemergencykit\run\a2ddax86.sys [2012-11-11 17904]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-7-4 217088]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-7-4 291840]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\autodesk\content service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 DCService.exe;DCService.exe;c:\programdata\datacardservice\DCService.exe [2010-9-29 249856]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2012-5-2 96056]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-11-4 14336]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-10-5 37944]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-11-17 72832]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-6-11 50688]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Mobile Partner. RunOuc;Mobile Partner. OUC;c:\program files\mobile partner\updatedog\ouc.exe [2012-11-17 203776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2011-9-27 89160]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-11-17 102784]
S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\drivers\ew_usbenumfilter.sys [2012-11-17 11136]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2012-11-17 208896]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-11-12 7680]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Remote Solver for Flow Simulation 2012;Remote Solver for Flow Simulation 2012;c:\program files\solidworks corp\solidworks flow simulation\bincfw\StandAloneSlv.exe [2011-8-17 90168]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2012-10-5 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2012-10-5 104960]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2012-11-17 16:18:43 826368 ----a-w- c:\windows\system32\rdpcore.dll
2012-11-17 16:18:43 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-11-17 16:18:43 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-11-17 16:18:39 132608 ----a-w- c:\windows\system32\cabview.dll
2012-11-17 15:09:28 -------- d-----w- c:\program files\common files\Labcenter Electronics
2012-11-17 13:17:13 -------- d-----w- c:\program files\Fast Blacksmith
2012-11-17 13:01:38 82816 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2012-11-17 13:01:38 72832 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2012-11-17 13:01:38 51712 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2012-11-17 13:01:38 27008 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2012-11-17 13:01:38 19456 ----a-w- c:\windows\system32\drivers\ew_hwupgrade.sys
2012-11-17 13:01:38 168960 ----a-w- c:\windows\system32\drivers\ew_juwwanecm.sys
2012-11-17 13:01:25 860928 ----a-w- c:\windows\system32\drivers\mod7700.sys
2012-11-17 13:01:25 27136 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2012-11-17 13:01:25 208896 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2012-11-17 13:01:25 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2012-11-17 13:01:25 106880 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2012-11-17 13:01:05 102784 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2012-11-17 13:00:44 -------- d-----w- c:\program files\Mobile Partner
2012-11-17 11:11:39 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-11-17 11:11:18 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-11-17 11:11:18 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-11-16 23:02:47 6980552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-11-16 23:02:41 6918632 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e1ba7939-e604-4357-86db-fa6024788748}\mpengine.dll
2012-11-16 16:01:50 56320 ----a-w- c:\windows\system32\SearchFilterHostSrv.exe
2012-11-16 15:01:54 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-16 15:01:52 -------- d-----w- c:\users\arif\appdata\local\temp
2012-11-16 03:18:05 -------- d-----w- c:\users\arif\DoctorWeb
2012-11-16 02:29:25 -------- d-----w- c:\windows\ERUNT
2012-11-16 02:29:16 -------- d-----w- C:\JRT
2012-11-16 01:49:34 -------- d-----w- c:\program files\SpywareBlaster
2012-11-15 13:29:32 -------- d-----w- c:\users\arif\appdata\local\ElevatedDiagnostics
2012-11-15 13:16:01 -------- d-----w- c:\program files\CCleaner
2012-11-10 20:43:26 3469308 ----a-w- c:\windows\system32\GameMon.des
2012-11-10 20:36:18 -------- d-----w- c:\program files\common files\INCA Shared
2012-11-10 20:05:18 4682 ----a-w- c:\windows\system32\npptNT2.sys
2012-11-10 20:05:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2012-11-10 16:55:25 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-11-10 16:51:25 -------- d-----w- c:\windows\system32\directx
2012-11-03 13:50:57 -------- d-----w- c:\program files\Celcom Broadband Manager
2012-11-03 00:53:48 -------- d-----w- c:\users\arif\appdata\local\Facebook
2012-10-29 14:17:48 -------- d-----w- c:\users\arif\appdata\roaming\EDrawings
2012-10-26 10:00:33 -------- d-----w- c:\program files\common files\Steam
2012-10-26 10:00:31 -------- d-----w- c:\program files\Steam
2012-10-26 08:03:21 -------- d-----w- c:\users\arif\appdata\roaming\GarenaPlus
2012-10-26 07:55:15 -------- d-----w- c:\program files\Garena Plus
2012-10-26 07:55:04 -------- d-----w- c:\program files\GarenaHoN
2012-10-26 07:55:01 -------- d-----w- c:\programdata\GarenaMessenger
2012-10-24 23:36:15 200704 ----a-w- c:\windows\PLFSetI.exe
2012-10-24 23:36:15 -------- d-----w- c:\program files\Acer
2012-10-24 23:36:14 106496 ----a-w- c:\windows\FixUVC.exe
2012-10-24 06:47:37 -------- d-----w- c:\users\arif\appdata\local\Garena
2012-10-24 03:26:17 -------- d-----w- c:\users\arif\appdata\local\Dassault_Systèmes_SolidWo
2012-10-24 03:25:42 -------- d-----w- c:\users\arif\appdata\roaming\CircuitWorks
2012-10-23 17:26:37 -------- d-----w- c:\users\arif\appdata\local\tempSWBackupDirectory
2012-10-23 17:26:02 -------- d-----w- c:\users\arif\appdata\local\SolidWorks
2012-10-23 17:23:08 -------- d-----w- c:\programdata\SolidWorks Flow Simulation
2012-10-23 17:20:49 -------- d-----w- c:\users\arif\appdata\roaming\DassaultSystemes
2012-10-23 17:20:49 -------- d-----w- c:\users\arif\appdata\local\DassaultSystemes
2012-10-23 17:20:49 -------- d-----w- c:\programdata\DassaultSystemes
2012-10-23 17:12:18 -------- d-----w- c:\programdata\SolidWorks
2012-10-23 17:12:18 -------- d-----w- c:\program files\SolidWorks Corp
2012-10-23 17:12:18 -------- d-----w- c:\program files\NVIDIA Corporation
2012-10-23 17:09:03 -------- d-----w- c:\program files\MSECache
2012-10-23 17:08:34 -------- d-----w- c:\program files\common files\SolidWorks Shared
2012-10-23 17:08:23 -------- d-----w- C:\SolidWorks Data
2012-10-23 17:07:43 -------- d-----w- c:\program files\common files\SolidWorks Installation Manager
2012-10-23 17:04:56 -------- d-----w- c:\windows\SolidWorks
2012-10-23 17:04:52 -------- d-----w- c:\users\arif\appdata\roaming\SolidWorks
2012-10-23 13:34:57 -------- d-----w- c:\users\arif\appdata\roaming\2K Sports
2012-10-22 14:44:49 -------- d-----w- c:\program files\2K Sports
2012-10-22 13:27:51 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2012-11-20 03:13:37 151552 ----a-w- c:\windows\KMSEmulator.exe
2012-11-17 13:18:19 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-17 13:18:19 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-17 13:00:47 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-11-17 13:00:47 1461992 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01009.dll
2012-10-04 22:44:32 0 ----a-w- c:\windows\ativpsrm.bin
2012-09-07 09:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 20:57:14.58 ===============

#4 Nikuyu

Nikuyu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 20 November 2012 - 10:24 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-11-21 11:24:11
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545025B9A300 rev.PB2OC60F
Running: gmer.exe; Driver: C:\Users\arif\AppData\Local\Temp\kxldrpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83087579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830ABF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91E0D000, 0x2BFBF0, 0xE8000020]
.text peauth.sys A1C1BC9D 28 Bytes [5E, 1B, BC, 71, E9, C7, 2B, ...]
.text peauth.sys A1C1BCC1 28 Bytes [5E, 1B, BC, 71, E9, C7, 2B, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtCreateFile + 6 77A64A16 4 Bytes [28, 18, 74, 00] {SUB [EAX], BL; JZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtCreateFile + B 77A64A1B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtMapViewOfSection + 6 77A65076 4 Bytes [28, 1B, 74, 00] {SUB [EBX], BL; JZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtMapViewOfSection + B 77A6507B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenFile + 6 77A65126 4 Bytes [68, 18, 74, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenFile + B 77A6512B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenProcess + 6 77A651D6 4 Bytes [A8, 19, 74, 00] {TEST AL, 0x19; JZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenProcess + B 77A651DB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenProcessToken + B 77A651EB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenProcessTokenEx + 6 77A651F6 4 Bytes [A8, 1A, 74, 00] {TEST AL, 0x1a; JZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenProcessTokenEx + B 77A651FB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenThread + 6 77A65256 4 Bytes [68, 19, 74, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenThread + B 77A6525B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenThreadToken + 6 77A65266 4 Bytes [68, 1A, 74, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenThreadToken + B 77A6526B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtOpenThreadTokenEx + B 77A6527B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtQueryAttributesFile + 6 77A65386 4 Bytes [A8, 18, 74, 00] {TEST AL, 0x18; JZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtQueryAttributesFile + B 77A6538B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtQueryFullAttributesFile + B 77A6543B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtSetInformationFile + 6 77A65A86 4 Bytes [28, 19, 74, 00] {SUB [ECX], BL; JZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtSetInformationFile + B 77A65A8B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtSetInformationThread + 6 77A65AE6 4 Bytes [28, 1A, 74, 00] {SUB [EDX], BL; JZ 0x4}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtSetInformationThread + B 77A65AEB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtUnmapViewOfSection + 6 77A65E06 4 Bytes [68, 1B, 74, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtUnmapViewOfSection + B 77A65E0B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtCreateFile + 6 77A64A16 4 Bytes [28, 44, B4, 00] {SUB [ESP+ESI*4+0x0], AL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtCreateFile + B 77A64A1B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtMapViewOfSection + 6 77A65076 4 Bytes [28, 47, B4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtMapViewOfSection + B 77A6507B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenFile + 6 77A65126 4 Bytes [68, 44, B4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenFile + B 77A6512B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenProcess + 6 77A651D6 4 Bytes [A8, 45, B4, 00] {TEST AL, 0x45; MOV AH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenProcess + B 77A651DB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenProcessToken + B 77A651EB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenProcessTokenEx + 6 77A651F6 4 Bytes [A8, 46, B4, 00] {TEST AL, 0x46; MOV AH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenProcessTokenEx + B 77A651FB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenThread + 6 77A65256 4 Bytes [68, 45, B4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenThread + B 77A6525B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenThreadToken + 6 77A65266 4 Bytes [68, 46, B4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenThreadToken + B 77A6526B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtOpenThreadTokenEx + B 77A6527B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtQueryAttributesFile + 6 77A65386 4 Bytes [A8, 44, B4, 00] {TEST AL, 0x44; MOV AH, 0x0}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtQueryAttributesFile + B 77A6538B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtQueryFullAttributesFile + B 77A6543B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtSetInformationFile + 6 77A65A86 4 Bytes [28, 45, B4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtSetInformationFile + B 77A65A8B 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtSetInformationThread + 6 77A65AE6 4 Bytes [28, 46, B4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtSetInformationThread + B 77A65AEB 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtUnmapViewOfSection + 6 77A65E06 4 Bytes [68, 47, B4, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2488] ntdll.dll!NtUnmapViewOfSection + B 77A65E0B 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by Nikuyu, 21 November 2012 - 04:31 PM.


#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 AM

Posted 21 November 2012 - 11:24 AM

Hasn't DDS produced another log except DDS.txt? A logfile called Attached.txt?



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Nikuyu

Nikuyu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 21 November 2012 - 04:37 PM

Owh sory... i think i attach it edy.. i don know know canot upload 7zip achieve file..
so this is what u request for Attached File  attach.zip   4.01KB   3 downloads

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 AM

Posted 22 November 2012 - 12:13 PM

Hi there,

Thank you very much for providing the logs.


I will be back with an answer asap. :)




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Nikuyu

Nikuyu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 23 November 2012 - 11:49 AM

thx.. i really dislike this .. always need to reinstall..

#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 AM

Posted 24 November 2012 - 05:08 PM

Hi there,


I'm afraid I have very bad news.

Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection. However, a variant called the Ramnit worm targets Facebook users....can bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions and compromise online banking.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 Nikuyu

Nikuyu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 24 November 2012 - 06:06 PM

from what u say.. it seen it realy bad.. so? i need perform full format to my computer? C and D HDD drive?..

#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 AM

Posted 25 November 2012 - 06:29 AM

That would be the short story, indeed.

It is a really dangerous infection.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 Nikuyu

Nikuyu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 25 November 2012 - 01:17 PM

OK thx for info.. may i know what the best antivirus to reduced infected virus to PC.. I hate the most antivirus program that make my pc slow.. expecially kasp.. may u give me some info how to protect my pc.

#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:37 AM

Posted 27 November 2012 - 12:05 PM

Hi there,


In matters of protection and security programs, you should have a main component:


  • An Antivirus which stops malware, in general;


2 good Antivirus programs would be

Though you have to take into consideration the fact that the program is not as important as the person in front of the desktop. You have to be careful where you surf on the Internet.



And several pieces of advice on how to protect your system from issues:

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  • Check for any Java updates as the Java installation is one frequently exploited program through which malware may access your system.


  • Take into consideration the possibility of update your Adobe installation as it represents a secure path for some type of exploits to your system.


  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.




    Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,924 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:37 AM

Posted 02 December 2012 - 03:08 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users