Jump to content

blocked access to potentially malicious.. over and over


Recommended Posts

Hello and thank you to whom is ever willing to help. I'm getting this problem from a utorrent download. I'm going to fess up to that right away as I basically am kicking myself now. I don't think I will be doing it anymore. It will be deleted after this fix. Especially if I have to format. sigh. Again thank you to anyone who is willing to assist.

The Problem: I first received a message saying that my Google settings have been changed, then some warnings and blocks from panda. After that tried to open up Google Chrome and it would give me a blue screen and tell me it was dumping physical memory. I was eventually able to get my pc up in safe mode.

Anyway what I have done to try and remedy the problem.

1. Ran Panda (found and quarantined)

2. Restored to a save point on Windows 7

3. Ran MalwareBytes (2 times) Found and removed 9 items the first scan and 2 the second time

4. Followed the "I'm infected, What now?" post.

Here is the info... and again thank you.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6751

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/2/2011 6:07:27 AM

mbam-log-2011-06-02 (06-07-27).txt

Scan type: Full scan (C:\|D:\|F:\|K:\|)

Objects scanned: 623044

Time elapsed: 2 hour(s), 12 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\popcap games\bejeweled blitz\bejeweled.blitz.crk.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\3BTG2Y1F\nnrfjmqeh[1].htm (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\3BTG2Y1F\uhhymdqu[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\users\michael\appdata\local\microsoft\windows\temporary internet files\content.ie5\3btg2y1f\scctgxkbb[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\3BTG2Y1F\bosgwxbeff[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\GK1HNFG3\hhlycptx[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\K5PJHAQZ\ivjwneei[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\K5PJHAQZ\sbsfwao[1].htm (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\WZ3V78I5\lmzdd[1].htm (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\users\michael\appdata\local\microsoft\windows\temporary internet files\content.ie5\wz3v78i5\lyyyzdduh[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Users\Michael\AppData\Local\Temp\QQAu.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\Users\Michael\documents\APPS\dvd burning\Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

f:\program files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.

2nd RUN of MB

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6752

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/2/2011 10:01:54 AM

mbam-log-2011-06-02 (10-01-54).txt

Scan type: Full scan (C:\|D:\|F:\|K:\|)

Objects scanned: 625401

Time elapsed: 1 hour(s), 55 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\$RECYCLE.BIN\s-1-5-21-969393467-3198209037-4009577033-1000\$RTXFEY9\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

f:\program files\HP\digital imaging\help\cuetour\START.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

DDS.TXT

.

DDS (Ver_2011-06-02.03) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24

Run by Michael at 19:54:13 on 2011-06-02

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe

C:\Windows\system32\HPSIsvc.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe

C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\conhost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Program Files\PostgreSQL\8.3\bin\postgres.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\CtHelper.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\explorer.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\Michael\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k iissvcs

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\System32\svchost.exe -k secsvcs

.

============== Pseudo HJT Report ===============

.

uDefault_Search_URL = hxxp://www.google.com/ie

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2737658

mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5474

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5474

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5474

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Google Update] "c:\users\michael\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [doubleTwist] c:\program files\doubletwist 2.0\DoubleTwist.DeviceHelper.exe

uRun: [CPN Notifier] c:\program files\ppn poker\PokerNotifier.exe

uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs5\Bridge.exe" -stealth

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

Trusted Zone: turbotax.com

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {A609CB6E-FEB5-47C3-966C-1B916842BD01} - hxxp://poker.nlop.com/poker/PokerCreations.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1 71.252.0.12

TCP: Interfaces\{46321C7B-0AAB-4904-BB33-F5D7B8C3EE2F} : DhcpNameServer = 192.168.1.1 71.252.0.12

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\lspo9w4v.default\

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrl.1.0.20816.0.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll

FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\michael\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\users\michael\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\users\michael\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\michael\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: QuickProxy: {d5ea4520-61a1-11da-8cd6-0800200c9a66} - %profile%\extensions\{d5ea4520-61a1-11da-8cd6-0800200c9a66}

.

============= SERVICES / DRIVERS ===============

.

R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? gupdate1c9dec8dff34441;Google Update Service (gupdate1c9dec8dff34441)

R? gupdatem;Google Update Service (gupdatem)

R? HP1210FAX;HP1210MFP FAX

R? MBAMSwissArmy;MBAMSwissArmy

R? mvusbews;USB EWS Device

R? SwitchBoard;Adobe SwitchBoard

R? WatAdminSvc;Windows Activation Technologies Service

S? HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service

S? HPSIService;HP SI Service

S? MBAMProtector;MBAMProtector

S? MBAMService;MBAMService

S? NanoServiceMain;Panda Cloud Antivirus Service

S? pgsql-8.3;PostgreSQL Database Server 8.3

S? PSINAflt;PSINAflt

S? PSINFile;PSINFile

S? PSINKNC;PSINKNC

S? PSINProc;PSINProc

S? PSINProt;PSINProt

S? TomTomHOMEService;TomTomHOMEService

S? TotRec7;Total Recorder WDM audio driver

S? xcbdaNtscV;ViXS Tuner Card (NTSC) - V

S? yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller

.

=============== Created Last 30 ================

.

2011-06-02 03:27:10 -------- d-----w- c:\users\michael\appdata\roaming\Malwarebytes

2011-06-02 03:27:03 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 03:27:03 -------- d-----w- c:\programdata\Malwarebytes

2011-06-02 03:26:59 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-02 03:26:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-02 03:06:43 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90535904-5066-4777-a446-4862202d711e}\mpengine.dll

2011-06-02 00:01:37 -------- d-----w- c:\users\michael\appdata\roaming\Qyyz

2011-06-01 23:27:58 -------- d-----w- c:\users\michael\appdata\local\Alien Skin

2011-06-01 23:25:24 -------- d-----w- c:\programdata\Alien Skin

2011-06-01 23:25:21 -------- d-----w- c:\program files\Alien Skin

2011-05-30 15:29:44 -------- d-----w- c:\users\michael\New folder

2011-05-30 15:29:02 -------- d-----w- c:\users\michael\Light Room Final

2011-05-24 22:04:24 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-18 22:52:03 123904 ----a-w- c:\windows\system32\poqexec.exe

2011-05-18 01:16:09 -------- d-----w- c:\users\michael\appdata\roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2011-05-18 01:16:09 -------- d-----w- c:\users\michael\appdata\roaming\Adobe Mini Bridge CS5

2011-05-11 10:32:14 -------- d-----w- c:\users\michael\appdata\roaming\HandBrake

2011-05-11 10:32:14 -------- d-----w- c:\users\michael\appdata\local\HandBrake

2011-05-11 10:32:04 -------- d-----w- c:\program files\Handbrake

2011-05-10 21:25:38 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-05-10 21:25:38 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-05-10 21:25:38 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-05-10 21:25:38 284160 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-05-10 21:25:38 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-10 21:25:38 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-05-10 21:25:38 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-05-10 21:25:36 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-05-10 21:25:35 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

.

==================== Find3M ====================

.

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-11 05:44:09 146304 ----a-w- c:\windows\system32\drivers\storport.sys

2011-03-11 05:44:01 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys

2011-03-11 05:44:01 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys

2011-03-11 05:44:01 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys

2011-03-11 05:43:55 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys

2011-03-11 05:43:46 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys

2011-03-11 05:43:46 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys

2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll

2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe

2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: WDC_WD50 rev.12.0 -> Harddisk0\DR0 ->

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x864C74D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x864cd7f0]; MOV EAX, [0x864cd86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x83243428] -> \Device\Harddisk0\DR0[0x86480460]

3 CLASSPNP[0x8937759E] -> ntkrnlpa!IofCallDriver[0x83243428] -> [0x85E072A0]

5 ACPI[0x839B73B2] -> ntkrnlpa!IofCallDriver[0x83243428] -> \0000006a[0x85E077B0]

\Driver\nvstor[0x864844E0] -> IRP_MJ_CREATE -> 0x864C74D0

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

detected disk devices:

\Device\0000006a -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AAKS-22TMA#4&c2a8a28&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 19:58:39.85 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for uTorrent and anything else you may have installed.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.