Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.agent and another trojan


  • This topic is locked This topic is locked
1 reply to this topic

#1 lftenjamin

lftenjamin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 22 December 2012 - 02:38 AM

A friend of mine gave me this laptop, and bought himself a new one. I figured something was fishy, and of course I was right. Nothing worked, files locked, slow, google redirects, the whole nine yards. It wouldn't boot into start up repair, no anti virus program, and it was impossible to system restore. I had a copy of windows 7 ultimate and booted from cd, tried reformatting from there, seemed like it worked, the install was kinda smooth, I needed to manually find some drivers though. I can boot into everything for the moment now. I was able to actually download some anti virus programs, and try to make some progress on my own. did some scans finally found the trojans, and can't shake 'em off. malware bytes keeps deleting, but they come back... anyway dds logs...

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.10.2
Run by Matt at 2:25:42 on 2012-12-22
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6051.5176 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
Trusted Zone: dell.com
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{0FA18E2B-AC77-4DA2-83B0-ABA93809E584} : DHCPNameServer = 192.168.1.254
SSODL: WebCheck - <orphaned>
x64-Run: [BLEServicesCtrl] C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\1h65ny7r.default\
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2009-10-26 75264]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2009-10-26 176640]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-12-21 406632]
S0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-3-27 1014096]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2012-3-27 1104208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-22 399432]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-22 676936]
S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2012-3-27 1304912]
S3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2012-2-13 95232]
S3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2012-2-13 747008]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-3-21 60928]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-22 25928]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2012-12-21 250984]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-21 1255736]
.
=============== Created Last 30 ================
.
2012-12-22 07:01:27 20480 ----a-w- C:\Windows\svchost.exe
2012-12-22 07:00:36 -------- d-----w- C:\Windows\System32\MpEngineStore
2012-12-22 05:56:58 -------- d-----w- C:\Users\Matt\AppData\Roaming\Malwarebytes
2012-12-22 05:56:47 -------- d-----w- C:\ProgramData\Malwarebytes
2012-12-22 05:56:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-22 05:56:46 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-22 04:46:08 -------- d-----w- C:\Program Files (x86)\NEC Electronics
2012-12-22 03:52:25 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4A1D58E5-4683-4CF0-B1F9-5A78A3BE3A83}\mpengine.dll
2012-12-22 03:39:15 98816 ----a-w- C:\Windows\sed.exe
2012-12-22 03:39:15 256000 ----a-w- C:\Windows\PEV.exe
2012-12-22 03:39:15 208896 ----a-w- C:\Windows\MBR.exe
2012-12-22 03:28:12 -------- d-----w- C:\Users\Matt\AppData\Local\ElevatedDiagnostics
2012-12-22 02:48:42 972264 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7540D426-E0EF-4415-B006-EED2BB39F063}\gapaengine.dll
2012-12-22 02:41:14 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-12-22 02:41:08 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-12-22 02:31:35 -------- d-----w- C:\Windows\SysWow64\Wat
2012-12-22 02:31:34 -------- d-----w- C:\Windows\System32\Wat
2012-12-22 02:31:09 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2012-12-22 02:31:08 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-12-22 02:31:08 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-12-22 02:12:55 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-12-22 02:12:55 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-12-22 02:12:55 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-12-22 02:12:55 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-12-22 02:03:36 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-12-22 02:01:33 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-12-22 02:01:33 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-12-22 02:01:33 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-12-22 02:01:33 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-12-22 02:01:33 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-12-22 01:58:47 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-12-22 01:57:59 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2012-12-22 01:55:23 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-12-22 01:55:23 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-12-22 01:49:36 -------- d-----w- C:\Windows\Panther
2012-12-22 01:46:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-12-22 01:46:14 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-12-22 01:46:03 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-12-22 01:46:03 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-12-22 01:42:04 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2012-12-22 01:41:40 859072 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-12-22 01:41:40 779704 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-12-22 01:41:34 95184 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-22 01:22:33 -------- d-----w- C:\Windows\SysWow64\sda
2012-12-22 01:22:06 9888360 ----a-w- C:\Windows\SysWow64\RtsUStoricon.dll
2012-12-22 01:22:06 422504 ----a-w- C:\Windows\System32\RtsUStor.dll
2012-12-22 01:22:06 250984 ----a-w- C:\Windows\System32\drivers\RtsUStor.sys
2012-12-22 01:16:36 -------- d-----w- C:\Users\Matt\AppData\Local\Macromedia
2012-12-22 01:16:18 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-22 01:16:18 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-22 01:05:49 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2012-12-22 01:05:42 -------- d-----w- C:\Intel
2012-12-21 23:49:29 -------- d-----w- C:\Users\Matt\AppData\Local\Apps
2012-12-21 23:49:28 -------- d-----w- C:\Users\Matt\AppData\Local\Deployment
2012-12-21 23:44:35 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll
2012-12-21 23:44:35 406632 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2012-12-21 23:44:35 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2012-12-21 23:44:32 -------- d-----w- C:\Program Files (x86)\Realtek
2012-12-21 23:36:39 -------- d-----w- C:\Dell
2012-12-21 23:25:41 -------- d-sh--w- C:\Windows\Installer
2012-12-21 22:59:26 -------- d-----w- C:\Users\Matt\AppData\Local\Diagnostics
2012-12-21 22:57:02 -------- d-----w- C:\Users\Matt\AppData\Local\VirtualStore
.
==================== Find3M ====================
.
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-11-22 03:26:40 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
.
============= FINISH: 2:25:49.19 ===============

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:46 AM

Posted 26 December 2012 - 08:59 AM

Hi,

If help still needed post fresh dds logs, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users