Jump to content

Recommended Posts

I'm having issues getting rid of this rootkit. I'm pretty sure it's a rootkit since it comes back after a restart fairly easily. MSE picks it up as Vorbus.g.

Note that these scans are from yesterday. I left GMER running over night so it would finish.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6561

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

5/12/2011 3:48:13 PM

mbam-log-2011-05-12 (15-48-12).txt

Scan type: Full scan (C:\|)

Objects scanned: 418088

Time elapsed: 44 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 3

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{Y4GSJ665-U753-27QU-FC5R-K181G4AC34B4} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y4GSJ665-U753-27QU-FC5R-K181G4AC34B4} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM (Backdoor.Bot) -> Value: HKLM -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Bot) -> Value: Policies -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Bot) -> Value: Policies -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Heuristics.Reserved.Word.Exploit) -> Bad: (svshost.exe) Good: () -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (userinit.exe,svshost.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Jeremy\AppData\Roaming\install\Svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\Users\Jeremy\downloads\driver genius professional v10.0.0.712{worldend}{h33t}\driver genius professional v10.0.0.712\drvgenpro\drvgenpro..exe (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\Windows\System32\svshost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

c:\Windows\SysWOW64\svshost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

.

DDS (Ver_11-03-05.01) - NTFS_AMD64

Run by Jeremy at 15:51:32.68 on Thu 05/12/2011

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2675 [GMT -5:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe

C:\Program Files (x86)\Secunia\PSI\PSIA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE

C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Secunia\PSI\sua.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgr.exe

C:\Users\Jeremy\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.cafes.net

uDefault_Page_URL = hxxp://www.cafes.net

uDefault_Search_URL = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com

mDefault_Search_URL = hxxp://www.google.com

mDefault_Page_URL = hxxp://www.cafes.net

mStart Page = hxxp://www.cafes.net

mSearch Bar = hxxp://www.google.com

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [Google Update] "C:\Users\Jeremy\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

mRun-x64: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

mRun-x64: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

mRun-x64: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\9bwq5tk5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cafes.net

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll

FF - plugin: C:\Users\Jeremy\AppData\Local\Google\Update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-3-25 188928]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-5-4 128384]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-11-25 203776]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-5-12 136360]

R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-5-12 269480]

R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2011-5-12 83120]

R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2011-1-11 21992]

R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-3-5 1257760]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-1-7 1153368]

R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-1-10 993848]

R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-1-10 399416]

R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2011-1-26 9085952]

R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2011-1-26 299520]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]

R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2010-9-1 17976]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-12-9 48488]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]

S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-3-25 40832]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 72064]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-2-23 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-23 59392]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-9 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2011-05-12 15:51:44 -------- d-----w- C:\Users\Jeremy\AppData\Roaming\Avira

2011-05-12 15:50:20 83120 ----a-w- C:\Windows\System32\drivers\avgntflt.sys

2011-05-12 15:50:19 -------- d-----w- C:\Program Files (x86)\Avira

2011-05-12 15:50:19 -------- d-----w- C:\PROGRA~3\Avira

2011-05-12 15:00:12 -------- d-----w- C:\PROGRA~3\!SASCORE

2011-05-12 15:00:10 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-05-12 14:26:20 8802128 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{C2252A45-E6E8-4FCB-9BA6-A03A7CF5221E}\mpengine.dll

2011-05-12 14:17:34 -------- d-----w- C:\Users\Jeremy\AppData\Local\{26ECBC2F-D654-4A90-A1F8-A683D65800B2}

2011-05-11 13:55:34 5562240 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-05-11 13:55:33 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2011-05-11 13:55:33 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2011-05-11 13:55:32 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys

2011-05-11 13:55:32 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys

2011-05-11 13:55:32 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys

2011-05-11 13:55:32 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys

2011-05-11 13:55:32 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys

2011-05-11 13:55:32 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys

2011-05-11 13:52:58 -------- d-----w- C:\Users\Jeremy\AppData\Local\{0D12283C-BA69-4187-A62D-3F0F1C54EEBA}

2011-05-10 14:19:39 -------- d-----w- C:\Users\Jeremy\AppData\Local\{707A7BB9-8021-4549-B3F4-1CD421317AB8}

2011-05-10 14:15:53 -------- d-----w- C:\Program Files (x86)\ESET

2011-05-10 14:09:56 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe

2011-05-10 14:09:55 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll

2011-05-10 14:09:55 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll

2011-05-10 14:09:55 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe

2011-05-10 14:09:55 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll

2011-05-10 14:09:55 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll

2011-05-10 14:09:53 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll

2011-05-10 14:09:53 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll

2011-05-09 16:21:49 -------- d-----w- C:\Users\Jeremy\AppData\Local\{967E5DD4-A1B5-44E3-B975-15A448C61351}

2011-05-09 13:42:12 -------- d-sh--r- C:\Users\Jeremy\AppData\Roaming\install

2011-05-06 15:58:20 -------- d-sh--r- C:\Windows\SysWow64\install

2011-05-06 14:11:23 -------- d-----w- C:\Users\Jeremy\AppData\Local\{8DA74282-F4DA-45A8-8EAB-E48FB39E82C0}

2011-05-05 13:41:56 -------- d-----w- C:\Users\Jeremy\AppData\Local\{C3061125-2156-46D7-98D7-AFCCC8F3E024}

2011-05-05 01:41:44 -------- d-----w- C:\Users\Jeremy\AppData\Local\{077E66ED-98B4-414A-8807-F73F6F6799CD}

2011-05-04 13:41:32 -------- d-----w- C:\Users\Jeremy\AppData\Local\{50C3ECB9-DA7F-44D8-B87B-198558779798}

2011-05-03 14:07:46 -------- d-----w- C:\Users\Jeremy\AppData\Local\{80ED1154-3E79-4399-9CD8-B6E9ABF63D58}

2011-05-02 19:20:37 -------- d-----w- C:\horseplay

2011-05-02 13:43:43 -------- d-----w- C:\Users\Jeremy\AppData\Local\{FB1FFBED-6304-487D-82F7-7D031E59F8BF}

2011-04-29 22:51:52 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll

2011-04-29 14:25:50 -------- d-----w- C:\Users\Jeremy\AppData\Local\{5D7E8E5A-49ED-45D5-84E9-807AF3200E7C}

2011-04-28 13:54:55 -------- d-----w- C:\Users\Jeremy\AppData\Local\{8590F281-D1F9-46EA-99C4-6A3929AD28FE}

2011-04-27 13:44:08 -------- d-----w- C:\Users\Jeremy\AppData\Local\{555AF0EA-2D4F-49B7-AAB5-FEEF44EA4978}

2011-04-26 14:14:47 -------- d-----w- C:\Users\Jeremy\AppData\Local\{440226CB-6B25-4E8A-8A6C-C186CCC084E4}

2011-04-25 13:43:46 -------- d-----w- C:\Users\Jeremy\AppData\Local\{C7F1A797-998A-4078-BBBE-3727BD403128}

2011-04-22 16:04:24 -------- d-----w- C:\Users\Jeremy\AppData\Local\{80B2C23C-003B-4F02-861B-BC432FD886CF}

2011-04-21 21:44:50 89048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll

2011-04-21 21:44:50 781272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll

2011-04-21 21:44:50 465880 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll

2011-04-21 21:44:50 1974616 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_42.dll

2011-04-21 21:44:50 1892184 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_42.dll

2011-04-21 21:44:50 1874904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

2011-04-21 21:44:50 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll

2011-04-21 15:14:18 -------- d-----w- C:\Program Files\Microsoft IntelliPoint

2011-04-21 14:35:01 -------- d-----w- C:\Users\Jeremy\AppData\Local\{24F07DE8-8C69-4D53-9541-E065259D9BDD}

2011-04-20 14:24:04 -------- d-----w- C:\Users\Jeremy\AppData\Local\{BC9E8BC8-19C6-4E59-8985-5C2E1013E1A0}

2011-04-19 14:13:23 -------- d-----w- C:\Users\Jeremy\AppData\Local\{B49614CC-0670-4062-840E-F55594788E7B}

2011-04-18 14:11:59 -------- d-----w- C:\Users\Jeremy\AppData\Local\{ED9DB86F-7A5B-4C67-98DB-EF57EA9D6E02}

2011-04-15 16:14:11 -------- d-----w- C:\Users\Jeremy\AppData\Local\Secunia PSI

2011-04-15 16:14:07 -------- d-----w- C:\Program Files (x86)\Secunia

2011-04-15 13:56:23 -------- d-----w- C:\Users\Jeremy\AppData\Local\{0732B661-983C-446A-B164-463F896554EE}

2011-04-14 13:58:37 -------- d-----w- C:\Users\Jeremy\AppData\Local\{2E5AE85B-471F-4923-93A7-B368A3FA3D46}

2011-04-13 20:04:38 45432 ----a-w- C:\Windows\System32\drivers\point64.sys

2011-04-13 14:00:12 -------- d-----w- C:\Users\Jeremy\AppData\Local\{4FC6FB1F-EF29-4252-82F9-916F28545053}

2011-04-12 21:46:04 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll

2011-04-12 21:46:04 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll

2011-04-12 21:46:03 3135488 ----a-w- C:\Windows\System32\win32k.sys

2011-04-12 21:46:02 1395712 ----a-w- C:\Windows\System32\mfc42.dll

2011-04-12 21:46:02 1359872 ----a-w- C:\Windows\System32\mfc42u.dll

2011-04-12 21:46:02 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-04-12 21:46:01 411648 ----a-w- C:\Windows\System32\drivers\srv2.sys

2011-04-12 21:46:01 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-04-12 21:46:00 467456 ----a-w- C:\Windows\System32\drivers\srv.sys

2011-04-12 21:46:00 167936 ----a-w- C:\Windows\System32\drivers\srvnet.sys

.

==================== Find3M ====================

.

2011-04-09 04:00:28 464896 ----a-w- C:\Windows\System32\ipcoin815.dll

2011-03-12 12:08:49 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll

2011-03-12 11:23:45 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2011-03-11 06:41:37 189824 ----a-w- C:\Windows\System32\drivers\storport.sys

2011-03-11 06:41:34 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys

2011-03-11 06:41:34 1659776 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2011-03-11 06:41:34 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys

2011-03-11 06:41:26 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys

2011-03-11 06:41:12 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys

2011-03-11 06:41:12 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys

2011-03-11 06:33:29 2565632 ----a-w- C:\Windows\System32\esent.dll

2011-03-11 06:30:28 96768 ----a-w- C:\Windows\System32\fsutil.exe

2011-03-11 05:33:09 1699328 ----a-w- C:\Windows\SysWow64\esent.dll

2011-03-11 05:31:07 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe

2011-03-08 06:29:32 976896 ----a-w- C:\Windows\System32\inetcomm.dll

2011-03-08 05:28:29 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-03-04 06:19:28 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2011-03-04 06:19:27 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2011-03-03 06:24:16 183296 ----a-w- C:\Windows\System32\dnsrslvr.dll

2011-03-03 06:21:57 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe

2011-03-03 05:36:16 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2011-02-25 06:19:30 2871808 ----a-w- C:\Windows\explorer.exe

2011-02-25 05:30:54 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe

2011-02-23 23:37:35 175616 ----a-w- C:\Windows\System32\msclmd.dll

2011-02-23 23:37:35 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2011-02-23 04:56:31 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys

2011-02-23 04:55:12 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys

2011-02-23 04:55:12 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys

2011-02-23 04:55:04 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys

2011-02-19 12:05:15 1139200 ----a-w- C:\Windows\System32\FntCache.dll

2011-02-19 12:04:37 1544192 ----a-w- C:\Windows\System32\DWrite.dll

2011-02-19 12:04:17 902656 ----a-w- C:\Windows\System32\d2d1.dll

2011-02-19 12:03:46 46080 ----a-w- C:\Windows\System32\atmlib.dll

2011-02-19 09:00:32 367616 ----a-w- C:\Windows\System32\atmfd.dll

2011-02-19 06:30:51 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll

2011-02-19 06:30:50 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2011-02-19 06:30:46 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-02-19 04:34:54 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-02-18 10:51:16 31232 ----a-w- C:\Windows\System32\prevhost.exe

2011-02-18 05:39:44 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe

2011-02-15 15:17:55 9728 ----a-w- C:\Windows\SysWow64\rnaph.dll

2011-02-12 11:34:16 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe

.

============= FINISH: 15:52:31.90 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hello and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.