Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with JS/Security Disable (i think)


  • This topic is locked This topic is locked
4 replies to this topic

#1 mm790

mm790

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 12 November 2013 - 05:43 AM

Been refered to you guys from here

 

http://www.bleepingcomputer.com/forums/t/512197/need-help-about-to-throw-computer-away/page-4

 

The steps taken so far have freed up my computer quite a lot however the trojan or whatever is

 

eset Scan pick up 3 JS/securitydisable.a.gen application threats , i delete them  however they reappear and computer starts to slow down again

 

I do think whatever i have is targeting my antivurus as per instructions received on previous thread once antivirus was disablled computer works fine

 

Appreciate any help you guys can give

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3319.1689 [GMT 11:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\DWA-131 revA\wirelesscm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Anno 1701\Anno1701.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"  /MINIMIZED
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\dwa-131 reva\wirelesscm.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoResolveTrack = dword:1
uPolicies-Explorer: NoThumbnailCache = dword:1
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230737341734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230737334343
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5468/mcfscan.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{3A57B9D0-D034-4F9E-9F53-A0F3536CAEDB} : NameServer = 203.12.160.35
TCP: Interfaces\{3A57B9D0-D034-4F9E-9F53-A0F3536CAEDB} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{85AD8EDE-77A5-4D1A-8E42-B6D099C79804} : NameServer = 203.12.160.35,203.12.160.36
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\david  powell\application data\mozilla\firefox\profiles\2fm1utzm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - plugin: c:\documents and settings\david  powell\application data\mozilla\firefox\profiles\2fm1utzm.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\david  powell\local settings\application data\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
.
============= SERVICES / DRIVERS ===============
.
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2011-8-6 3333808]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-11-10 37352]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-11-10 89376]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-11-6 39424]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-6 116224]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2012-10-14 588032]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2013-7-7 1691480]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2013-7-7 45288]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-8-17 18432]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
.
=============== Created Last 30 ================
.
2013-11-11 12:26:04    --------    d-----w-    c:\documents and settings\david  powell\data
2013-11-11 12:09:51    --------    d-----w-    c:\program files\Anno 1701
2013-11-11 11:57:40    271360    ----a-w-    c:\windows\system32\drivers\atksgt.sys
2013-11-11 11:57:39    18048    ----a-w-    c:\windows\system32\drivers\lirsgt.sys
2013-11-10 06:20:24    37352    ----a-w-    c:\windows\system32\drivers\avkmgr.sys
2013-11-10 06:20:23    89376    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-11-09 11:29:16    --------    d-----w-    c:\windows\system32\MRT
2013-11-09 06:28:23    --------    d-----w-    c:\program files\Speccy
2013-11-08 13:59:04    --------    d-----w-    c:\windows\system32\CatRoot2
2013-11-08 10:54:59    --------    d-----w-    c:\program files\Tweaking.com
2013-11-08 03:22:37    --------    d-----w-    C:\AdwCleaner
2013-11-06 19:07:55    92272    ----a-w-    c:\program files\mozilla firefox\nssdbm3.dll
2013-11-06 09:50:08    0    ----a-w-    c:\documents and settings\david  powell\ntuser.tmp
2013-11-05 21:08:03    --------    d-----w-    c:\windows\system32\NtmsData
2013-11-05 20:50:39    105176    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-05 06:06:47    --------    d-----w-    c:\program files\ESET
2013-11-04 12:31:43    --------    d-----w-    c:\documents and settings\david  powell\application data\Avira
2013-11-04 11:58:59    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-11-04 11:58:44    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-11-04 11:18:23    --------    d-----w-    c:\program files\Avira
2013-11-04 11:18:23    --------    d-----w-    c:\documents and settings\all users\application data\Avira
2013-11-04 10:07:55    --------    d-----w-    c:\documents and settings\all users\application data\CheckPoint
2013-11-04 10:04:23    --------    d-----w-    c:\documents and settings\all users\application data\Free Download Manager
2013-11-04 09:20:38    --------    d-----w-    c:\windows\ERUNT
2013-11-03 11:54:13    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-11-03 11:53:28    47064    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
.
==================== Find3M  ====================
.
2013-10-09 10:14:05    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-09 10:14:04    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-23 18:33:58    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-09-23 18:33:57    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-09-23 18:06:48    385024    ------w-    c:\windows\system32\html.iec
2013-08-29 01:31:44    1878656    ----a-w-    c:\windows\system32\win32k.sys
.
============= FINISH: 21:26:19.59 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 12 November 2013 - 09:21 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 mm790

mm790
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 14 November 2013 - 01:42 AM

Hi Marius i really appreciate your help Sorry for the delay in getting back to you i have been having issues with computer again

 

I hope this is the log you where after i have tried to rerun gmer however evey time i run it i get a blue screen PFN_List_corrupt

 

GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-13 21:47:24

Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10 WDC_WD5000AACS-00G8B1 rev.05.04C05 465.76GB Running: bin92qf5.exe; Driver: C:\DOCUME~1\DAVIDP~1\LOCALS~1\Temp\kfqiypod.sys ---- System - GMER 2

 

 

SSDT  A5E8D454  ZwClose
SSDT  A5E8D40E  ZwCreateKey
SSDT  A5E8D45E  ZwCreateSection
SSDT  A5E8D404  ZwCreateThread
SSDT  A5E8D413  ZwDeleteKey
SSDT  A5E8D41D  ZwDeleteValueKey
SSDT  A5E8D44F  ZwDuplicateObject
SSDT  A5E8D422  ZwLoadKey
SSDT  A5E8D3F0  ZwOpenProcess
SSDT  A5E8D3F5  ZwOpenThread
SSDT  A5E8D477  ZwQueryValueKey
SSDT  A5E8D42C  ZwReplaceKey
SSDT  A5E8D468  ZwRequestWaitReplyPort
SSDT  A5E8D427  ZwRestoreKey
SSDT  A5E8D463  ZwSetContextThread
SSDT  A5E8D46D  ZwSetSecurityObject
SSDT  A5E8D418  ZwSetValueKey
SSDT  A5E8D472  ZwSystemDebugControl
SSDT  A5E8D3FF  ZwTerminateProcess
 


Edited by mm790, 14 November 2013 - 01:44 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 14 November 2013 - 03:17 AM

Follow the instructions @ sevenforums.com to check your computer for faulty memory:

 

http://www.sevenforums.com/tutorials/105647-ram-test-memtest86.html


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 20 November 2013 - 03:39 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users