Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Bifrose.NEC trojan Nod32 problem


  • This topic is locked This topic is locked
9 replies to this topic

#1 kfrabida

kfrabida

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 31 December 2012 - 06:55 AM

Hi guys.

Everytime I start up, ESET Nod32 comes up with this problem:

Operating memory » explorer.exe(3044) - a variant of Win32/Bifrose.NEC trojan - unable to clean

It can't seem to delete it. I hope you can help me remove this virus.

Thanks.

--

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16453 BrowserJavaVersion: 10.10.2
Run by Kevin Mark at 19:51:46 on 2012-12-31
Microsoft Windows 8 Pro with Media Center 6.2.9200.0.1252.1.1033.18.1978.573 [GMT 8:00]
.
AV: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\dwm.exe
C:\Program Files\Stardock\Decor8\Decor8Srv.exe
C:\Program Files\Stardock\Decor8\Decor8.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Connectify\ConnectifyService.exe
C:\Windows\system32\dashost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Connectify\ConnectifyD.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\srvany.exe
C:\Windows\KMService.exe
C:\Windows\system32\conhost.exe
C:\QMSYS\bin\qmsvc.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskhostex.exe
C:\Windows\Explorer.EXE
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4406.1205_x86__8wekyb3d8bbwe\LiveComm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Program Files\iNTERNET Turbo\iDetect.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Windows\VM303_STI.EXE
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows 8 Start Screen Customizer\ModernUIStartScreen.exe
C:\Program Files\DeskSpace\deskspace.exe
C:\Users\Kevin Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Kevin Mark\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.ph/
uWindow Title = Ahsan_Manan_Khan_Bhutta * Internet Explorer *
uProxyServer = proxy.up.edu.ph:8080
uProxyOverride = local;<local>
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\office15\OCHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - c:\program files\microsoft office\office15\GROOVEEX.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: brumacldegrm Object: {F7C28AAD-3A72-4FB7-ADD3-71CD9DB2418E} - LocalServer32 - <no file>
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
uRun: [Google Update] "c:\users\kevin mark\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Win8StartScreen] "c:\program files\windows 8 start screen customizer\ModernUIStartScreen.exe" -hidden
uRun: [{E5942C16-2F98-8D32-6BFB-878C8ED072EF}] c:\users\kevin mark\appdata\roaming\4f85k48\Boot inf.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Detect] c:\program files\internet turbo\iDetect.exe /auto
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [RaidCall] c:\program files\raidcall\raidcall.exe
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
mRun: [Smart File Advisor] "c:\program files\smart file advisor\sfa.exe" /checkassoc
mRun: [USB Security] c:\program files\usb disk security\USBGuard.exe
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\kevinm~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\desksp~1.lnk - c:\program files\deskspace\deskspace.exe
StartupFolder: c:\users\kevinm~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\kevin mark\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-Explorer: DisableThumbnailsOnNetworkFolders = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: HideFastUserSwitching = dword:0
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft office\office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office15\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9A9825C1-8A41-4FDA-BC07-7F5FBECC02E6} - hxxp://item.koramgame.com/st/login/activex/KoramGameStarter.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{347D7BC1-654F-453F-AB81-5FB558285EC7} : NameServer = 10.198.220.124 202.126.40.5
TCP: Interfaces\{B7B6191A-B829-4DE9-962A-8B288661260B} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{FB4E5C1E-E73F-4EC9-ABED-9A8487F50F1C} : NameServer = 8.8.8.8
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - c:\program files\microsoft office\office15\MSOSB.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
Hosts: 127.0.0.1 validation.sls.microsoft.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kevin mark\appdata\roaming\mozilla\firefox\profiles\mjorknk4.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.ftp - freezone.google.com
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - proxy7.up.edu.ph
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - freezone.google.com
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - freezone.google.com
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - freezone.google.com
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\kevin mark\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\progra~1\micros~2\office15\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect64.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\users\kevin mark\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\kevin mark\appdata\local\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\users\kevin mark\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\kevin mark\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\kevin mark\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\kevin mark\appdata\roaming\raidcall\plugins\nprcplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2012-12-13 07:46; {bb6bc1bb-f824-4702-90cd-35e2fb24f25d}; c:\users\kevin mark\appdata\roaming\mozilla\firefox\profiles\mjorknk4.default\extensions\{bb6bc1bb-f824-4702-90cd-35e2fb24f25d}
FF - ExtSQL: 2012-12-30 15:46; {34712C68-7391-4c47-94F3-8F88D49AD632}; c:\programdata\realnetworks\realdownloader\browserplugins\firefox\Ext
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2012-6-14 171168]
R2 Connectify;Connectify;c:\program files\connectify\ConnectifyService.exe [2012-8-14 65536]
R2 Decor8;Stardock Decor8;c:\program files\stardock\decor8\Decor8Srv.exe [2012-11-20 74416]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2012-6-14 1288104]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2012-6-14 104200]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2012-11-21 100216]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2011-2-9 8192]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2012-7-13 769432]
R2 QMSvc;QMSvc;c:\qmsys\bin\qmsvc.exe [2012-1-23 184320]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-12-13 3290896]
R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C63x86.sys [2012-6-22 93848]
S1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\drivers\cnnctfy2.sys [2012-8-14 27248]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-3 160944]
S3 apf003;apf003;c:\windows\system32\apf003.sys [2012-3-21 13232]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-16 25832]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-1-14 201168]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-1-14 101120]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\iobit\game booster\driver\WinRing0.sys [2012-5-9 14416]
.
=============== File Associations ===============
.
FileExt: .js: Applications\firefox.exe - HKCR\Unknown\Shell="c:\program files\smart file advisor\sfa.exe" /unknown "%1" [UserChoice] [default=openas]
.
=============== Created Last 30 ================
.
2012-12-31 10:03:40 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-31 06:06:54 -------- d--h--w- c:\users\kevin mark\appdata\roaming\4f85k48
2012-12-31 05:56:16 -------- d-----w- c:\programdata\Package Cache
2012-12-31 05:45:11 15541248 ----a-w- c:\program files\common files\microsoft shared\microsoft camera codec pack\MicrosoftRawCodec.dll
2012-12-30 07:47:29 -------- d-----w- c:\users\kevin mark\appdata\roaming\RealNetworks
2012-12-30 07:46:31 -------- d-----w- c:\program files\RealNetworks
2012-12-30 07:46:26 -------- d-----w- c:\programdata\RealNetworks
2012-12-30 07:46:19 -------- d-----w- c:\program files\common files\xing shared
2012-12-30 07:46:08 153296 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2012-12-30 07:45:57 124056 ----a-w- c:\program files\mozilla firefox\plugins\nprpplugin.dll
2012-12-29 08:27:25 -------- d-----w- c:\users\kevin mark\appdata\local\Temp
2012-12-26 03:36:15 -------- d-----w- c:\windows\PCHEALTH
2012-12-26 03:36:15 -------- d-----w- c:\program files\Microsoft SQL Server
2012-12-21 10:02:49 300032 ----a-w- c:\windows\system32\atmfd.dll
2012-12-21 10:02:48 75776 ----a-w- c:\windows\system32\fontsub.dll
2012-12-21 10:02:48 35328 ----a-w- c:\windows\system32\atmlib.dll
2012-12-21 10:02:48 3072 ----a-w- c:\windows\system32\lpk.dll
2012-12-21 10:02:48 10752 ----a-w- c:\windows\system32\dciman32.dll
2012-12-17 09:17:14 -------- d-----w- C:\gravity
2012-12-17 05:32:26 -------- d-----w- c:\program files\NVIDIA Corporation
2012-12-17 05:24:14 -------- d-----w- C:\PlayPark
2012-12-16 03:40:31 -------- d-----w- c:\program files\WinPcap
2012-12-15 07:07:47 132608 ----a-w- c:\windows\system32\poqexec.exe
2012-12-13 06:30:28 5955856 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2012-12-13 00:33:54 58880 ----a-w- c:\windows\system32\dpnathlp.dll
2012-12-13 00:33:54 375808 ----a-w- c:\windows\system32\dpnet.dll
2012-12-13 00:33:54 32256 ----a-w- c:\windows\system32\dpnsvr.exe
2012-12-13 00:33:53 8192 ----a-w- c:\windows\system32\dpnhupnp.dll
2012-12-13 00:33:53 8192 ----a-w- c:\windows\system32\dpnhpast.dll
2012-12-13 00:33:53 3072 ----a-w- c:\windows\system32\dpnlobby.dll
2012-12-13 00:33:53 2560 ----a-w- c:\windows\system32\dpnaddr.dll
2012-12-13 00:12:59 3401728 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 23:32:07 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-12 23:26:14 846336 ----a-w- c:\windows\system32\reseteng.dll
2012-12-12 23:26:14 733184 ----a-w- c:\windows\system32\resetengmig.dll
2012-12-12 23:26:14 375808 ----a-w- c:\windows\system32\ReAgent.dll
2012-12-12 23:26:14 117248 ----a-w- c:\windows\system32\sysreset.exe
2012-12-10 05:43:35 -------- d-----w- c:\program files\Nero
2012-12-10 05:43:28 -------- d-----w- c:\programdata\Nero
2012-12-05 23:51:03 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-12-05 23:51:03 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-12-05 23:51:01 184248 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-12-05 23:51:01 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2012-12-05 23:51:01 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2012-12-05 23:51:01 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2012-12-05 23:51:01 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2012-12-05 23:51:01 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2012-12-05 23:51:01 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2012-12-05 23:51:01 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2012-12-03 02:21:38 -------- d-----w- c:\users\kevin mark\appdata\roaming\Zbshareware Lab
.
==================== Find3M ====================
.
2012-12-31 10:03:28 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-31 10:03:28 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-30 07:45:44 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-12-30 07:45:44 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-11-29 23:06:06 80736 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-29 23:06:06 695648 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-28 04:21:17 44032 ----a-w- c:\windows\system32\UXInit.dll
2012-11-22 00:43:14 100216 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2012-11-15 06:06:34 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-08 04:25:35 1775104 ----a-w- c:\windows\system32\wininet.dll
2012-11-08 04:25:29 662016 ----a-w- c:\windows\system32\uxtheme.dll
2012-11-08 04:24:27 2881536 ----a-w- c:\windows\system32\jscript9.dll
2012-11-08 04:24:22 61440 ----a-w- c:\windows\system32\iesetup.dll
2012-11-08 04:24:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-11-02 05:22:08 34304 ----a-w- c:\windows\system32\wuapp.exe
2012-11-02 05:22:05 53760 ----a-w- c:\windows\system32\taskhostex.exe
2012-11-02 05:22:05 53760 ----a-w- c:\windows\system32\taskhost.exe
2012-11-02 05:21:44 83968 ----a-w- c:\windows\system32\wudriver.dll
2012-11-02 05:21:44 215040 ----a-w- c:\windows\system32\WUSettingsProvider.dll
2012-11-02 05:21:44 1555456 ----a-w- c:\windows\system32\wucltux.dll
2012-11-02 05:21:44 125952 ----a-w- c:\windows\system32\wuwebv.dll
2012-11-02 05:21:43 15872 ----a-w- c:\windows\system32\wuaext.dll
2012-11-02 05:21:28 246784 ----a-w- c:\windows\system32\ubpm.dll
2012-11-02 05:00:16 99328 ----a-w- c:\windows\system32\wushareduxresources.dll
2012-11-02 04:53:43 168448 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2012-11-02 04:51:07 308736 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-10-29 03:19:08 463768 ----a-w- c:\windows\system32\AUDIOKSE.dll
2012-10-29 03:19:08 427568 ----a-w- c:\windows\system32\AudioEng.dll
2012-10-29 03:19:08 324344 ----a-w- c:\windows\system32\AudioSes.dll
2012-10-29 03:19:07 207552 ----a-w- c:\windows\system32\audiodg.exe
2012-10-29 02:46:23 1451520 ----a-w- c:\windows\system32\mfcore.dll
2012-10-29 02:46:06 100352 ----a-w- c:\windows\system32\EncDump.dll
2012-10-29 02:45:49 595968 ----a-w- c:\windows\system32\audiosrv.dll
2012-10-29 02:45:49 136704 ----a-w- c:\windows\system32\AudioEndpointBuilder.dll
2012-10-24 03:11:52 5563624 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-24 03:11:52 319208 ----a-w- c:\windows\system32\halmacpi.dll
2012-10-24 02:48:12 24064 ----a-w- c:\windows\system32\ReAgentc.exe
2012-10-24 02:48:10 11776 ----a-w- c:\windows\system32\pcalua.exe
2012-10-24 02:47:23 333824 ----a-w- c:\windows\system32\pcasvc.dll
2012-10-24 02:47:23 24064 ----a-w- c:\windows\system32\pcadm.dll
2012-10-24 02:26:15 11776 ----a-w- c:\windows\system32\pcaevts.dll
2012-10-20 02:44:53 431104 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2012-10-20 02:25:35 310784 ----a-w- c:\windows\apppatch\AcRes.dll
2012-10-18 03:13:24 58088 ----a-w- c:\windows\system32\drivers\pdc.sys
2012-10-18 02:46:00 8856576 ----a-w- c:\windows\system32\twinui.dll
2012-10-18 02:44:38 2033664 ----a-w- c:\windows\system32\authui.dll
2012-10-18 02:44:33 753664 ----a-w- c:\windows\system32\actxprxy.dll
2012-10-17 03:57:37 929792 ----a-w- c:\windows\system32\mfnetsrc.dll
2012-10-17 03:57:37 568832 ----a-w- c:\windows\system32\mfnetcore.dll
2012-10-17 03:57:37 513024 ----a-w- c:\windows\system32\mfmpeg2srcsnk.dll
2012-10-17 03:57:36 850944 ----a-w- c:\windows\system32\mfasfsrcsnk.dll
2012-10-12 07:12:33 23272 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2012-10-12 05:41:02 987648 ----a-w- c:\windows\system32\srmclient.dll
2012-10-12 05:41:02 68096 ----a-w- c:\windows\system32\srmtrace.dll
2012-10-12 05:41:02 487936 ----a-w- c:\windows\system32\srmscan.dll
2012-10-12 05:41:02 278528 ----a-w- c:\windows\system32\srm.dll
2012-10-12 05:41:02 202240 ----a-w- c:\windows\system32\srmstormod.dll
2012-10-12 05:41:02 15872 ----a-w- c:\windows\system32\srm_ps.dll
2012-10-12 05:41:02 128000 ----a-w- c:\windows\system32\srmshell.dll
2012-10-12 05:41:02 104448 ----a-w- c:\windows\system32\adrclient.dll
2012-10-12 05:40:54 30208 ----a-w- c:\windows\system32\rfxvmt.dll
2012-10-12 05:40:53 2797056 ----a-w- c:\windows\system32\rdpcorets.dll
2012-10-12 05:40:49 84992 ----a-w- c:\windows\system32\wbem\PolicMan.dll
2012-10-12 05:39:54 82944 ----a-w- c:\windows\system32\dskquota.dll
2012-10-12 05:15:27 214528 ----a-w- c:\windows\system32\rdpudd.dll
2012-10-12 05:11:51 492544 ----a-w- c:\windows\system32\drivers\srv2.sys
2012-10-11 05:59:34 299752 ----a-w- c:\windows\system32\drivers\Classpnp.sys
2012-10-11 05:58:52 939424 ----a-w- c:\windows\system32\winresume.exe
2012-10-11 05:58:52 1166720 ----a-w- c:\windows\system32\winload.efi
2012-10-11 05:58:52 1063936 ----a-w- c:\windows\system32\winload.exe
2012-10-11 05:58:52 1034976 ----a-w- c:\windows\system32\winresume.efi
2012-10-11 05:56:41 2115952 ----a-w- c:\windows\explorer.exe
2012-10-11 05:48:14 829672 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-10-11 05:48:14 342248 ----a-w- c:\windows\system32\drivers\netio.sys
2012-10-11 05:45:35 158440 ----a-w- c:\windows\system32\drivers\sdbus.sys
2012-10-11 05:45:32 104168 ----a-w- c:\windows\system32\drivers\dumpsd.sys
2012-10-11 05:45:31 50920 ----a-w- c:\windows\system32\drivers\dam.sys
2012-10-11 05:45:23 30440 ----a-w- c:\windows\system32\drivers\battc.sys
2012-10-11 05:42:31 612416 ----a-w- c:\windows\system32\mfplat.dll
2012-10-11 05:34:13 155880 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-10-11 05:33:40 457624 ----a-w- c:\windows\system32\ci.dll
2012-10-11 05:28:23 46824 ----a-w- c:\windows\system32\drivers\sdstor.sys
2012-10-11 05:27:13 493136 ----a-w- c:\windows\system32\drivers\cng.sys
2012-10-11 05:18:30 1262744 ----a-w- c:\windows\system32\WMALFXGFXDSP.dll
2012-10-11 05:08:28 411648 ----a-w- c:\windows\system32\winlogon.exe
2012-10-11 05:08:22 671232 ----a-w- c:\windows\system32\SearchIndexer.exe
2012-10-11 05:08:22 303104 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2012-10-11 05:08:22 170496 ----a-w- c:\windows\system32\SearchFilterHost.exe
2012-10-11 05:08:11 40960 ----a-w- c:\windows\system32\BdeUISrv.exe
2012-10-11 05:06:45 289280 ----a-w- c:\windows\system32\mswsock.dll
2012-10-11 05:05:53 154112 ----a-w- c:\windows\system32\bdesvc.dll
2012-10-11 05:05:51 99840 ----a-w- c:\windows\system32\AppxSip.dll
2012-10-11 04:43:40 34816 ----a-w- c:\windows\system32\microsoft-windows-pdc.dll
2012-10-11 04:42:57 6144 ----a-w- c:\windows\system32\kbdhebl3.dll
2012-10-11 04:42:25 9728 ----a-w- c:\windows\system32\wlanhlp.dll
2012-10-11 04:40:00 5120 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2012-10-11 04:39:47 83456 ----a-w- c:\windows\system32\drivers\drmk.sys
2012-10-11 04:37:50 218112 ----a-w- c:\windows\system32\drivers\portcls.sys
2012-10-11 04:36:38 56832 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2012-10-10 06:31:46 72192 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 19:52:37.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 01 January 2013 - 02:04 AM

Hello and Welcome to BleepingComputer Forums! :welcome:

My name is Chris and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only! If you are not the original poster of this thread DO NOT run the fixes provided here.
  • Please do not run any tools until requested by myself or another member of Staff! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • If you stay with me, follow my instructions and ask questions when confused you'll be back up and running in no time :)

I must get my fixes approved so I will be back to you asap
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#3 kfrabida

kfrabida
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 01 January 2013 - 10:39 PM

Hello and Welcome to BleepingComputer Forums! :welcome:

My name is Chris and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only! If you are not the original poster of this thread DO NOT run the fixes provided here.
  • Please do not run any tools until requested by myself or another member of Staff! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • If you stay with me, follow my instructions and ask questions when confused you'll be back up and running in no time :)

I must get my fixes approved so I will be back to you asap



Alright. Thanks :)

#4 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 03 January 2013 - 04:23 PM

Hi,

I'd like you to try ComboFix. Please see the following guide on usage:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#5 kfrabida

kfrabida
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 04 January 2013 - 12:46 AM

Hi,

I'd like you to try ComboFix. Please see the following guide on usage:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


Hey Chris.

Thanks for the assistance. I tried something. Since Nod32 is unable to clean the files, I figured that it's probably because they are being used by the system (explorer.exe and iexplore.exe). So I ended these applications using the task manager then proceeded with the scan. So far, Nod32 doesn't detect the trojan anymore. (tried scanning a lot of times) Perhaps it's fixed then? Or should I push through in running the ComboFix?

Regards.

#6 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 04 January 2013 - 07:24 PM

Go ahead and run ComboFix, at the very least it will confirm a clean machine
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#7 kfrabida

kfrabida
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 05 January 2013 - 06:29 AM

Go ahead and run ComboFix, at the very least it will confirm a clean machine


Hey Chris, it seems like ComboFix is not yet compatible with Windows 8. Should I run the program in compatibility mode?

I also found this weird box that pops up during startup. It says ‘server’ has been built with an evaluation version of {smartassembly}, which has expired 03 January 2013. I haven't installed any software with this smartassembly.

Regards.

#8 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 06 January 2013 - 02:09 PM

Looks like we won't get anywhere with ComboFix. Let's try another route

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Edited by CStew23, 06 January 2013 - 02:10 PM.

Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#9 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 18 January 2013 - 07:45 PM

Hi,

Still with me, or have you resolved this issue? Please let us know
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:36 PM

Posted 25 January 2013 - 03:04 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users