Jump to content

Java blackhole exploit


Recommended Posts

Hello,

A few weeks ago I received a spam email to my university email which never receives spam. It was right after I used linkedin if that's a possible connection. It was concerning a wire transfer and because I actually had a wire transfer pending at the time I opened the link. (I still have the email and the address saved if it would be helpful)

It was just a blank page but it did ask me for permission to run java which I allowed. (was using google chrome)

After realizing how stupid that was I did a google search and found that similar types of spam mail were linked to java blackhole exploits.

At the time I ran malwarebytes and got rid of one infection (I am not sure if that infection was already there or not) and I uninstalled java, deleted the folder "java", and then installed the latest version.

There has been nothing wrong with the computer but it is one I received to use at work so I wanted to make sure it was clean. I should have followed up sooner but didn't have the time.

I haven't input any information such as passwords for financial institutions. I have been using it for email and I am connected to the company network. Could that be a problem?

If you could take a look and let me know if there is some infection, I would appreciate it very much.

I will attach the malwarebytes log for the scan on the day I clicked the link and the DDS and attach logs for the scan I ran just now.

Thanks for your time

Malwarebytes log

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.01.05

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 8.0.7601.17514

Daewoo :: DAEWOO-PC [administrator]

6/1/2012 4:01:55 PM

mbam-log-2012-06-01 (16-01-55).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 211881

Time elapsed: 11 minute(s), 56 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\System32\ssa.dll (Trojan.BHO) -> Quarantined and deleted successfully.

(end)

DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.1

Run by Daewoo at 15:46:38 on 2012-06-24

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2998.1884 [GMT -4:00]

.

AV: AhnLab V3 Internet Security 8.0 *Enabled/Updated* {B5892DA8-3D3D-75E1-6A57-1270334145D3}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AhnLab V3 Internet Security 8.0 *Enabled/Updated* {0EE8CC4C-1B07-7A6F-50E7-290248C60F6E}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Hpservice.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Iomega\QuikProtect\QpMonitor.exe

C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\AhnLab\V3IS80\V3Svc.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\RealVNC\VNC4\winvnc4.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\AhnLab\V3IS80\V3SP.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Iomega\QuikProtect\startQuikProtect.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Penta Security Systems\ISign Desktop\isigntr.exe

C:\PROGRA~1\PENTAS~1\ISIGND~1\evtdisp.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Windows\System32\svchost.exe -k secsvcs

C:\Users\Daewoo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Daewoo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Users\Daewoo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Daewoo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Daewoo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://remote.daewoo-usa.com/Citrix/AccessPlatform/site/default.aspx

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe" -s

uRun: [ActivePost Standard] "c:\dwa messenger\DWAMessenger.exe"

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [iSUSPM] "c:\programdata\flexnet\connect\11\ISUSPM.exe" -scheduler

uRun: [Google Update] "c:\users\daewoo\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [V3 Session Process] "c:\program files\ahnlab\v3is80\V3SP.exe"

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [QuiKProtect] c:\program files\iomega\quikprotect\StartQuikProtect.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [Nuance PDF Converter Professional 7-reminder] "c:\program files\nuance\pdf professional 7\ereg\ereg.exe" -r "c:\programdata\nuance\pdf converter professional 7\ereg\Ereg.ini"

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\isigns~1.lnk - c:\program files\penta security systems\isign desktop\isigntr.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Adobe PDF? ?? - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105

IE: ?? PDF? ?? ?? ?? - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: ?? PDF? ?? - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: ?? ??? Adobe PDF? ?? - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

Trusted Zone: daewoo-usa.com

Trusted Zone: daewoo.com

Trusted Zone: dwc.co.kr

DPF: {05D704AA-CDCA-42C4-AAF7-290D1785ACC5} - hxxp://ep.daewoo-usa.com/gw/sys/gwlib.nsf/lookup/MultiAttach/$FILE/XMultiAttachment.cab

DPF: {16078A1E-44EF-40CC-AD83-88373B19A20C} - hxxp://ep.daewoo-usa.com/gw/sys/gwlib.nsf/lookup/NamoWec7/$file/NamoWec.cab

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_Win32.cab

DPF: {321FD0B3-C97C-45C1-952E-C6A371E8C4B5} - hxxp://ep.daewoo-usa.com/gw/sys/gwlib.nsf/lookup/OrgOCX/$File/XSiteOrg.cab

DPF: {47764ABF-7273-40D7-A659-231ABF656AA6} - hxxp://ep.daewoo.com/portalPage/cab/IeMgr.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ep.daewoo-usa.com/gw/sys/gwlib.nsf/lookup/msxml4/$FILE/msxml4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {9215AC0E-4181-4DE9-B70C-7EE55767C62E} - hxxp://ep.daewoo-usa.com/gw/sys/gwlib.nsf/lookup/xPrintWise/$File/xPrintWise.cab

DPF: {948FC4BD-3F05-4549-81E7-2C63974F6D17} - hxxp://popeye.samsungpop.com/sscommon/cab/SecuiSFNCOMIE.cab

DPF: {A9F090E5-FC80-4772-AFEE-D102AB6E77D6} - hxxp://ep.daewoo.com/portalPage/cab/IssacWebProCMS_4_3_0_0.cab

DPF: {BC677953-2A06-482F-B650-37B401ADA89A} - hxxp://ums.samsungfn.com/TMailerSamsungFnDotCom2.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E622CC9C-1790-4395-ABE1-0C1281567A93} - hxxp://ep.daewoo.com/portalPage/cab/ISignDtpSetup-DaewooInternational_2_0_0_5.cab

DPF: {E9F073DF-4D1F-4BEA-A37C-A2BBFA1F90D1} - hxxp://ep.daewoo-usa.com/gw/sys/gwlib.nsf/lookup/SafeZone/$FILE/SafeZoneCtrl.cab

TCP: DhcpNameServer = 64.238.96.12 66.180.96.12

TCP: Interfaces\{C32B15AC-4E27-46BB-8185-D4BE0A6F680B} : DhcpNameServer = 64.238.96.12 66.180.96.12

TCP: Interfaces\{C32B15AC-4E27-46BB-8185-D4BE0A6F680B}\2375942554635393 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{C32B15AC-4E27-46BB-8185-D4BE0A6F680B}\4505D2C494E4B4F5342483542403 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{C32B15AC-4E27-46BB-8185-D4BE0A6F680B}\74D4027457563747 : DhcpNameServer = 12.127.17.72 199.191.128.103

TCP: Interfaces\{C32B15AC-4E27-46BB-8185-D4BE0A6F680B}\775626F43502E4564777F627B6021463A33443A32433 : DhcpNameServer = 10.1.1.11

TCP: Interfaces\{FC26CEF3-5556-4E70-B93E-694CC53589AC} : DhcpNameServer = 64.238.96.12 66.180.96.12

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AMonTDLH;AMonTDLH;c:\windows\system32\drivers\AMonTDLH.sys [2011-1-3 100960]

R1 ATamptNt_V3IS80;ATamptNt_V3IS80;c:\progra~1\ahnlab\v3is80\ATamptNt.sys [2011-1-3 191712]

R1 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [2011-1-3 2252728]

R1 V3Flt2K;V3Flt2K;c:\progra~1\ahnlab\v3is80\V3Flt2K.sys [2011-1-3 170080]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-7-16 26168]

R2 QPCopyEngine;QPCopyEngine;c:\program files\iomega\quikprotect\QpMonitor.exe [2010-6-24 247088]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2011-12-29 5120]

R2 V3 Service;V3 Service;c:\program files\ahnlab\v3is80\V3Svc.exe [2011-1-3 264408]

R3 AhnFlt2K;AhnFlt2K;c:\windows\system32\drivers\AhnFlt2k.sys [2011-1-3 53088]

R3 AhnRec2K;AhnRec2K;c:\windows\system32\drivers\AhnRec2k.sys [2011-1-3 20576]

R3 AhnRghNt;AhnRghNt;c:\windows\system32\drivers\AhnRghNt.sys [2011-1-3 58592]

R3 AhnSZE;AhnSZE;c:\windows\system32\drivers\ahnsze.sys [2011-1-3 1594040]

R3 ASZFltNt;ASZFltNt;c:\progra~1\ahnlab\v3is80\ASZFltNt.sys [2011-1-3 138208]

R3 CdmDrvNt;CdmDrvNt;c:\windows\system32\drivers\CdmDrvNt.sys [2011-1-3 19608]

R3 MeDCoreD_V3IS80;MeDCoreD_V3IS80;c:\program files\ahnlab\v3is80\MedCoreD.sys [2011-1-3 310160]

R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

R3 TfFRegNt;TfFRegNt;c:\program files\ahnlab\v3is80\TFFREGNT.SYS [2011-1-3 55520]

R3 TfProcNt;TfProcNt;c:\program files\ahnlab\v3is80\AHAWKENT.SYS [2011-1-3 29280]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-3 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-7 257696]

S3 AhnActNt;AhnActNt;c:\progra~1\ahnlab\v3is80\AhnActNt.sys [2011-1-3 88544]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-2-11 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-3 136176]

S3 ISPrxEnt;ISPrxEnt;c:\program files\ahnlab\v3is80\ISPrxENt.sys [2011-1-3 77736]

S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [2010-6-24 19384]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-19 52224]

S3 V3Flu2k_V3IS80;V3Flu2k_V3IS80;c:\progra~1\ahnlab\v3is80\V3Flu2k.sys [2011-1-3 124000]

S3 V3IFt2K;V3IFt2K;c:\progra~1\ahnlab\v3is80\V3IFt2K.sys [2011-1-3 77920]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-3 1343400]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2012-06-22 14:00:59 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f17b5688-7c4e-4223-a063-9fa8a1d1d156}\mpengine.dll

2012-06-21 13:09:27 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-21 13:09:11 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 13:09:01 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 13:09:01 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-14 13:10:49 2342400 ----a-w- c:\windows\system32\msi.dll

2012-06-14 13:10:46 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-14 13:10:44 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-14 13:10:43 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-14 13:10:43 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-14 13:10:43 164352 ----a-w- c:\windows\system32\profsvc.dll

2012-06-14 13:10:37 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 13:10:37 1158656 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 13:10:37 103936 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-03 23:03:07 -------- d-----w- c:\program files\Oracle

2012-06-03 23:02:32 772504 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-06-03 22:18:31 -------- d-----w- c:\users\daewoo\appdata\roaming\AVG2012

2012-06-03 22:17:32 -------- d-----w- c:\programdata\AVG2012

2012-06-03 22:16:59 -------- d-----w- c:\program files\AVG

2012-06-03 22:12:21 -------- d--h--w- c:\programdata\Common Files

2012-06-03 22:11:56 -------- d-----w- c:\programdata\MFAData

2012-06-01 20:00:38 -------- d-----w- c:\users\daewoo\appdata\roaming\Malwarebytes

2012-06-01 20:00:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-01 20:00:33 -------- d-----w- c:\programdata\Malwarebytes

2012-06-01 20:00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2012-06-19 03:48:00 2252728 ----a-w- c:\windows\system32\drivers\v3engine.sys

2012-06-19 03:48:00 2215224 ----a-w- c:\windows\system32\BTScan.exe

2012-06-19 03:48:00 1594040 ----a-w- c:\windows\system32\drivers\ahnsze.sys

2012-05-15 03:03:54 981504 ----a-w- c:\windows\system32\wininet.dll

2012-05-07 16:29:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-07 16:29:25 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-28 03:17:07 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-04-27 17:12:49 152576 ----a-w- c:\windows\system32\msclmd.dll

2012-04-20 03:16:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-04 22:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll

2012-03-31 04:39:37 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-03-31 04:39:37 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-30 10:23:11 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

============= FINISH: 15:46:54.73 ===============

Attach

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/30/2010 11:56:46 AM

System Uptime: 6/24/2012 6:32:16 AM (9 hours ago)

.

Motherboard: Hewlett-Packard | | 1722

Processor: Intel® Core i5 CPU M 430 @ 2.27GHz | CPU 1 | 2267/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 296 GiB total, 240.846 GiB free.

D: is FIXED (FAT32) - 2 GiB total, 1.494 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_1180&DEV_E852&SUBSYS_1722103C&REV_01\4&214DA77C&0&02E2

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_1180&DEV_E852&SUBSYS_1722103C&REV_01\4&214DA77C&0&02E2

Service:

.

Class GUID:

Description:

Device ID: USB\VID_138A&PID_0007\1B1191DE2200

Manufacturer:

Name:

PNP Device ID: USB\VID_138A&PID_0007\1B1191DE2200

Service:

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_1180&DEV_E230&SUBSYS_1722103C&REV_01\4&214DA77C&0&01E2

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_1180&DEV_E230&SUBSYS_1722103C&REV_01\4&214DA77C&0&01E2

Service:

.

==== System Restore Points ===================

.

RP242: 6/1/2012 9:12:12 AM - Windows Update

RP243: 6/3/2012 6:04:01 PM - Removed Java 2 Runtime Environment, SE v1.4.2_19

RP244: 6/3/2012 6:16:38 PM - Installed AVG 2012

RP245: 6/3/2012 6:17:06 PM - Installed AVG 2012

RP246: 6/3/2012 7:01:20 PM - Installed Java 7 Update 4

RP247: 6/3/2012 7:02:43 PM - Installed JavaFX 2.1.0

RP248: 6/4/2012 9:47:32 AM - Removed AVG 2012

RP249: 6/4/2012 9:48:51 AM - Removed AVG 2012

RP250: 6/5/2012 9:50:40 AM - Windows Update

RP251: 6/6/2012 8:58:25 AM - Windows Update

RP252: 6/12/2012 8:55:43 AM - Windows Update

RP253: 6/15/2012 8:52:21 AM - Windows Update

RP254: 6/19/2012 9:22:44 AM - Windows Update

RP255: 6/21/2012 9:08:45 AM - Windows Update

RP256: 6/22/2012 10:00:15 AM - Windows Update

.

==== Installed Programs ======================

.

Adobe Acrobat 9 Pro - Korean

Adobe Flash Player 11 ActiveX

AhnLab V3 Internet Security 8.0

Citrix Presentation Server Client - Web Only

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

DirectX for Managed Code Update (December 2004)

DWACS 1.0.4.4

Google Chrome

Google Earth

Google Update Helper

Iomega Product Registration

Iomega QuikProtect

ISign Desktop Uninstall

IssacWebProCMS 4.3.0.0

Java Auto Updater

Java 6 Update 31

Java 7 Update 4

JavaFX 2.1.0

Junk Mail filter update

Korean Fonts Support For Adobe Reader X

Malwarebytes Anti-Malware version 1.61.0.1400

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft IntelliPoint 8.2

Microsoft IntelliType Pro 8.2

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Excel MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook Connector

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Standard 2010

Microsoft Office Word MUI (English) 2010

Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit

Microsoft redistributable runtime DLLs VS2005 SP1(x86)

Microsoft redistributable runtime DLLs VS2008 SP1(x86)

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Retrospect 7.5

Samsung ML-1740 Series

SAMSUNG USB Driver for Mobile Phones

SAP GUI for Windows 7.20

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Synaptics Pointing Device Driver

TrustNET WebToolKit for SecuiSFNCOM

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

VNC Mirror Driver 1.8.0

VNC Personal Edition P4.6.0

VNC Printer Driver 1.7.0

WebACS 1.0.0.20

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

.

==== Event Viewer Messages From Past Week ========

.

6/22/2012 6:19:19 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer DAEWOO-CARD-REA that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C32B15AC-4E27-46BB-8185-D4. The master browser is stopping or an election is being forced.

6/22/2012 11:38:36 AM, Error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.

6/20/2012 4:23:57 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer DWA-BLYTHE-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{FC26CEF3-5556-4E70-B93E-694C. The master browser is stopping or an election is being forced.

6/20/2012 3:01:23 AM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.198 with the system having network hardware address 00-13-FA-01-EC-A2. Network operations on this system may be disrupted as a result.

6/19/2012 4:13:02 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer OLIVIA-HP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C32B15AC-4E27-46BB-8185-D4BE0A6F. The master browser is stopping or an election is being forced.

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.