Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Win32: PUP-gen


  • This topic is locked This topic is locked
2 replies to this topic

#1 sh4rkbyt3

sh4rkbyt3

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 13 December 2014 - 12:17 PM

After docking an infected HDD from a laptop I wound up contracting the Win32: PUP-gen malware. Loaded and wiped my systems C; drive 3-4 times with no luck using Dban. After using Ubuntu to try and locate the infection from my SSD I think I may have gotten it?
Just wanted to get this checked out to see if it is gone as it also spread to several other computers I've been working on through HDD docking station.
Here is my dds log results:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by Nexus1 at 12:10:52 on 2014-12-13
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.8190.6596 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\DAODx.exe
C:\Program Files\McAfee\Raptor\Raptor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Windows\system32\AMBSpiE.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{AA440A6D-DB14-4715-AD60-5AF27955D187} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-Run: [RunDLLEntry] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\AmbRunE.dll,RunDLLEntry
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-RunOnce: [Raptor] "C:\Program Files\McAfee\Raptor\Raptor.exe" --run
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2014-12-12 411936]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
R3 LVUVC64;Logitech HD Webcam C310(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-1-22 77824]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-1-22 180224]
R3 skfiltv;skfiltv;C:\Windows\System32\drivers\skfiltv.sys [2008-8-14 24064]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2014-12-12 39480]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2014-12-12 1301504]
R3 VMfilt;VMfilt;C:\Windows\System32\drivers\VMfilt64.sys [2014-12-12 25600]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2010-3-17 401696]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2014-12-12 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2014-12-12 79360]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-13 114688]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-12-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-12-13 59392]
.
=============== Created Last 30 ================
.
2014-12-13 16:17:51 -------- d-sh--w- C:\Users\Nexus1\AppData\Local\EmieUserList
2014-12-13 16:17:51 -------- d-sh--w- C:\Users\Nexus1\AppData\Local\EmieSiteList
2014-12-13 16:17:51 -------- d-sh--w- C:\Users\Nexus1\AppData\Local\EmieBrowserModeList
2014-12-13 16:17:28 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BF8B3E72-8E26-4118-BA24-50037E3CC843}\offreg.dll
2014-12-13 16:11:14 -------- d--h--w- C:\Windows\msdownld.tmp
2014-12-13 16:03:10 878080 ----a-w- C:\Windows\System32\advapi32.dll
2014-12-13 16:02:53 68608 ----a-w- C:\Windows\System32\taskhost.exe
2014-12-13 16:01:37 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2014-12-13 16:01:37 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2014-12-13 05:13:34 -------- d-----w- C:\Windows\System32\SPReview
2014-12-13 05:08:08 6144 ----a-w- C:\Windows\System32\drivers\en-US\rdvgkmd.sys.mui
2014-12-13 05:08:08 2560 ----a-w- C:\Windows\System32\drivers\en-US\rdpwd.sys.mui
2014-12-13 05:08:06 4096 ----a-w- C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui
2014-12-13 05:08:06 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
2014-12-13 05:08:03 6144 ----a-w- C:\Windows\System32\drivers\en-US\IPMIDrv.sys.mui
2014-12-13 05:08:03 4608 ----a-w- C:\Windows\System32\drivers\en-US\kbdclass.sys.mui
2014-12-13 05:06:00 749568 ----a-w- C:\Program Files\Common Files\System\msadc\msadce.dll
2014-12-13 05:06:00 226304 ----a-w- C:\Windows\SysWow64\MSAC3ENC.DLL
2014-12-13 05:06:00 213504 ----a-w- C:\Windows\SysWow64\MMDevAPI.dll
2014-12-13 05:06:00 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2014-12-13 05:06:00 211456 ----a-w- C:\Windows\System32\mprddm.dll
2014-12-13 05:06:00 209920 ----a-w- C:\Windows\SysWow64\mstask.dll
2014-12-13 05:06:00 114688 ----a-w- C:\Program Files\Common Files\System\msadc\msadcf.dll
2014-12-13 05:06:00 102400 ----a-w- C:\Windows\System32\mobsync.exe
2014-12-13 05:06:00 101376 ----a-w- C:\Windows\SysWow64\mobsync.exe
2014-12-13 02:25:42 -------- d-----w- C:\Windows\System32\catroot2
2014-12-13 02:23:42 -------- d-----w- C:\Program Files\McAfee
2014-12-13 02:23:38 -------- d-----w- C:\Program Files\stinger
2014-12-13 02:23:17 -------- d-----w- C:\Windows\SysWow64\wbem\Performance
2014-12-13 02:09:54 -------- d-----w- C:\Program Files (x86)\stinger
2014-12-13 02:08:48 -------- d-----w- C:\AdwCleaner
2014-12-13 02:07:39 -------- d-----w- C:\Windows\Panther
2014-12-13 01:02:53 -------- d-----w- C:\Program Files (x86)\Microsoft Download Manager
2014-12-13 00:44:33 -------- d-----w- C:\Users\Nexus1\AppData\Local\NVIDIA
2014-12-13 00:35:32 -------- d-s---w- C:\Windows\System32\CompatTel
2014-12-13 00:35:32 -------- d-----w- C:\Windows\System32\appraiser
2014-12-13 00:29:06 -------- d-----w- C:\Windows\System32\MRT
2014-12-12 23:56:26 830976 ----a-w- C:\Windows\System32\appraiser.dll
2014-12-12 23:56:26 741376 ----a-w- C:\Windows\System32\invagent.dll
2014-12-12 23:56:26 413184 ----a-w- C:\Windows\System32\generaltel.dll
2014-12-12 23:56:26 396800 ----a-w- C:\Windows\System32\devinv.dll
2014-12-12 23:56:26 1232040 ----a-w- C:\Windows\System32\aitstatic.exe
2014-12-12 23:37:43 142336 ----a-w- C:\Windows\System32\poqexec.exe
2014-12-12 23:37:43 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2014-12-12 23:32:40 11632448 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BF8B3E72-8E26-4118-BA24-50037E3CC843}\mpengine.dll
2014-12-12 23:32:39 275080 ------w- C:\Windows\System32\MpSigStub.exe
2014-12-12 23:27:28 -------- d-----w- C:\Program Files (x86)\NEC Electronics
2014-12-12 23:27:05 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2014-12-12 23:27:04 99840 ----a-w- C:\Windows\System32\wudriver.dll
2014-12-12 23:27:04 36864 ----a-w- C:\Windows\System32\wuapp.exe
2014-12-12 23:27:04 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2014-12-12 23:26:34 -------- d-----w- C:\Users\Nexus1\AppData\Local\Downloaded Installations
2014-12-12 23:24:48 90112 ------w- C:\Windows\Updreg.EXE
2014-12-12 23:23:57 -------- d-----w- C:\Program Files\Creative
2014-12-12 23:23:09 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2014-12-12 23:23:09 32768 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2014-12-12 23:23:09 225280 ------w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2014-12-12 23:23:09 176128 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2014-12-12 23:23:09 -------- d-----w- C:\Program Files (x86)\Creative
2014-12-12 23:23:06 729088 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2014-12-12 23:23:06 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2014-12-12 23:23:06 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2014-12-12 23:23:06 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2014-12-12 23:23:06 192512 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2014-12-12 23:23:03 311428 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2014-12-12 23:23:03 188548 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2014-12-12 23:22:20 414632 ------w- C:\Windows\difxapi.dll
2014-12-12 23:22:19 -------- d-----w- C:\Program Files (x86)\VIA
2014-12-12 23:21:06 39480 ----a-w- C:\Windows\System32\drivers\usbfilter.sys
2014-12-12 23:21:06 -------- d-----w- C:\Program Files (x86)\AMD
2014-12-12 23:20:56 -------- d-sh--w- C:\Windows\Installer
2014-12-12 23:20:36 -------- d-----w- C:\Program Files\ATI Technologies
2014-12-12 23:20:33 -------- d-----w- C:\Program Files\ATI
2014-12-12 23:19:29 -------- d-----w- C:\Program Files (x86)\ASUS
2014-12-12 23:19:24 724992 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iKernel.dll
2014-12-12 23:19:24 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\ctor.dll
2014-12-12 23:19:24 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\DotNetInstaller.exe
2014-12-12 23:19:24 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2014-12-12 23:19:24 311428 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\Setup.dll
2014-12-12 23:19:24 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iscript.dll
2014-12-12 23:19:24 192512 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iuser.dll
2014-12-12 23:19:24 184452 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iGdi.dll
.
==================== Find3M  ====================
.
2014-12-13 16:03:10 859648 ----a-w- C:\Windows\System32\tdh.dll
2014-12-13 16:02:01 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-12-13 05:12:05 175616 ----a-w- C:\Windows\System32\msclmd.dll
2014-12-13 05:12:05 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2014-12-12 23:24:44 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2014-12-12 23:24:44 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2014-12-12 23:24:44 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2014-12-12 23:24:44 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
.
============= FINISH: 12:10:57.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 AM

Posted 18 December 2014 - 09:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 AM

Posted 23 December 2014 - 10:19 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users