Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can I be infected and no program to detect it?


  • This topic is locked This topic is locked
6 replies to this topic

#1 sensey

sensey

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 20 February 2013 - 11:06 AM

DDS Logs for topic http://www.bleepingcomputer.com/forums/t/485266/can-i-be-infected-and-no-program-to-detect-it/#entry2976585:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.11.2
Run by Nico at 13:02:15 on 2013-02-20
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.54.3082.18.2941.1878 [GMT -3:00]
.
AV: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\Programas\Multimedia\X800 TVPro\Remote.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Archivos de programa\NetLimiter 2 Pro\nlsvc.exe
C:\Archivos de programa\NetLimiter 2 Pro\NLClient.exe
D:\Programas\Internet\Mozilla Firefox\firefox.exe
D:\Programas\Internet\Mozilla Firefox\plugin-container.exe
D:\Programas\Multimedia\X800 TVPro\X800 TVPro.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = c:\windows\system32\userinit.exe
uRun: [Skype] "c:\archivos de programa\skype\phone\Skype.exe" /minimized /regrun
uRun: [DisplayFusion] "c:\archivos de programa\displayfusion\DisplayFusion.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MaySample MFC Application] d:\programas\multimedia\x800 tvpro\Remote.exe
mRun: [egui] "c:\archivos de programa\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: ForceClassicControlPanel = dword:1
uPolicies-Explorer: NoSMHelp = dword:1
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
uPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: ForceClassicControlPanel = dword:1
mPolicies-Explorer: NoSMHelp = dword:1
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~4\office11\EXCEL.EXE/3000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1359992204562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{A4AD11F9-0642-4B04-8FA0-827F6BE980AF} : DHCPNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-10-24 71152]
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-12-3 61464]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-10-8 121216]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2012-10-8 104736]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2010-3-16 82872]
R2 ekrn;ESET Service;c:\archivos de programa\eset\eset nod32 antivirus\ekrn.exe [2012-11-26 1329304]
R2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2011-7-12 22768]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-12-31 103040]
R3 AV88BASE;Cx2388x Base Driver;c:\windows\system32\drivers\av88base.sys [2011-10-7 441088]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\drivers\EtronHub3.sys [2011-1-26 32256]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\drivers\EtronXHCI.sys [2011-1-26 52224]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2011-10-9 30392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-10-7 1691480]
S3 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\archivos de programa\tuneup utilities 2013\TuneUpUtilitiesService32.exe [2012-10-8 1699168]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\archivos de programa\tuneup utilities 2013\TuneUpUtilitiesDriver32.sys [2012-9-18 10088]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\archivos de programa\archivos comunes\vmware\usb\vmware-usbarbitrator.exe [2012-10-11 721048]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\archivos de programa\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2011-1-18 54144]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2011-10-7 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2011-10-7 85696]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
.
=============== Created Last 30 ================
.
2013-02-09 05:20:11    --------    d-----w-    c:\windows\pss
2013-02-08 20:02:04    --------    d-sh--w-    c:\users\nico\datos de programa\Common
2013-02-08 20:02:03    --------    d-----w-    c:\users\nico\datos de programa\DisplayFusion
2013-02-08 20:00:18    15088    ----a-w-    c:\users\nico\datos de programa\microsoft\identitycrl\production\ppcrlconfig.dll
2013-02-08 19:53:40    --------    d-----w-    c:\users\nico\datos de programa\BitTorrent
2013-02-08 19:53:33    --------    d-----w-    c:\users\nico\datos de programa\CodeBlocks
2013-02-08 19:53:24    --------    d-----w-    c:\users\nico\datos de programa\Dev-Cpp
2013-02-08 19:53:02    --------    d-----w-    c:\users\nico\datos de programa\Hex-Rays
2013-02-08 19:50:30    --------    d-sh--w-    c:\users\nico\IETldCache
2013-02-08 19:50:13    --------    d-sh--w-    c:\users\nico\IECompatCache
2013-02-08 19:49:49    --------    d-sh--w-    c:\users\nico\PrivacIE
2013-02-08 19:42:16    --------    d-----w-    c:\users\nico\datos de programa\TuneUp Software
2013-02-08 19:38:12    --------    d-----w-    c:\users\nico\datos de programa\Subversion
2013-02-04 20:10:30    --------    d-----w-    C:\$RECYCLE.BIN
2013-02-04 14:16:13    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-02-04 14:03:37    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-04 14:03:37    --------    d-----w-    c:\users\all users\datos de programa\Malwarebytes
2013-02-03 22:38:40    --------    d-----w-    c:\users\all users\datos de programa\Acunetix WVS 8
2013-02-01 19:48:49    --------    d-----w-    c:\archivos de programa\ESET
2013-01-31 09:26:49    222448    ----a-w-    c:\windows\system32\muweb.dll
2013-01-25 22:19:35    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll

.

==================== Find3M  ====================
.
2013-01-26 03:55:37    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-25 22:19:26    143872    ----a-w-    c:\windows\system32\javacpl.cpl
2013-01-25 22:19:25    780192    ----a-w-    c:\windows\system32\deployJava1.dll
2013-01-09 17:50:09    74248    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-09 17:50:09    697864    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-09 17:41:25    859072    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-01-07 07:23:55    2151424    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 07:23:52    2030080    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 10:08:36    1876352    ----a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49:05    148992    ----a-w-    c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:05    1298432    ----a-w-    c:\windows\system32\quartz.dll
2012-12-26 20:19:30    920064    ----a-w-    c:\windows\system32\wininet.dll
2012-12-26 20:19:15    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2012-12-26 20:19:12    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2012-12-24 07:03:04    385024    ----a-w-    c:\windows\system32\html.iec
2012-12-16 12:23:59    290560    ----a-w-    c:\windows\system32\atmfd.dll
.
============= FINISH: 13:02:39,76 ===============
 

Attached Files


Edited by sensey, 20 February 2013 - 11:08 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 24 February 2013 - 10:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from one of these locations:
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
 
Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.

  • Double click on AdwCleaner.exe to run the tool.

  • Click on Delete tab follow the prompts.

  • A log file will automatically open after the scan has finished.

  • Please post the content of that log file with your next answer.

  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.


#3 sensey

sensey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 27 February 2013 - 08:28 AM

 Results of screen317's Security Check version 0.99.60  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO está desactivado.
E
S
E
T
ECHO está desactivado.
N
O
D
3
2
ECHO está desactivado.
A
n
t
i
v
i
r
u
s
ECHO está desactivado.
6
.
0
ECHO está desactivado.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware versión 1.70.0.1100  
 TuneUp Utilities 2013   
 TuneUp Utilities Language Pack (es-ES)
 TuneUp Utilities 2013   
 TuneUp Utilities Language Pack (es-ES)
 Java™ 6 Update 26  
 Java 7 Update 11  
 Java version out of Date!
 Adobe Flash Player     11.6.602.171  
 Adobe Reader XI  
 Mozilla Firefox 18.0.2 Firefox out of Date!  
 Mozilla Thunderbird (17.0.2)
 Google Chrome 23.0.1271.97  
````````Process Check: objlist.exe by Laurent````````  
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````
 

 

Note: you don't ask me for tdsskiller log, but, just in case...

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 27 February 2013 - 10:17 AM

Secure your system by updating 3rd party programs.
 
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
 
Be careful not to install malware posing as Java update!
Important read this blog.
 
Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
 
How to disable Java in your browsers
 
You can manually check your present version and update as recommended.
 
If present remove the old version(s) of Java using the Add/Remove Programs applet.
 
 Java™ 6 Update 26  
 Java 7 Update 11 
 
Java 7 update 10 introduced important new security controls
You can read about it here.
 
Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===
 
Please let me know what problem persists.


#5 sensey

sensey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 27 February 2013 - 12:27 PM

thats all? Java was outdated because it was not using the PC.

 

Regards



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 27 February 2013 - 01:56 PM

If all is well:
 
Time for some housekeeping
The following will implement some cleanup procedures as well as reset  System Restore points:
 
Click Start > Run  and copy/paste the following bold text into the Run box and click OK:
 
ComboFix /Uninstall 
===
 
To remove AdwCleaner.
 
Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.
 
If you decide to keep the AdwCleaner tool make sure delete your version and download the latest before running it.
 
Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.
 
Surf Safely, and Think Prevention!
===


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:42 PM

Posted 05 March 2013 - 10:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users