Jump to content

Virus Infection On PC


Sudeep
 Share

Recommended Posts

Not able to install an update of malware byte

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Run by sudgupta at 20:40:18 on 2011-11-15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.1875 [GMT 11:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

D:\devtools\Apache Group\Apache2\bin\Apache.exe

C:\Program Files\WebEx\Connect\apUpdate.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\system32\DWRCS.EXE

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Sierra Wireless Inc\IERA\IERA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\mnmsrvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\devtools\ora10.2.0\BIN\TNSLSNR.exe

c:\devtools\ora10.2.0\bin\ORACLE.EXE

C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe

C:\WINDOWS\system32\SgLogPlayer.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\DWRCST.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Documents and Settings\sudgupta\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\udceng.exe

C:\Program Files\Symantec AntiVirus\Smc.exe

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\Program Files\Notepad++\notepad++.exe

D:\Ariba\JPMC9r1\Downstream\Server\bin\startbuyer.exe

D:\Ariba\JPMC9r1\Downstream\Server\3rdParty\perl\bin\Win32\perl.exe

D:\Ariba\JPMC9r1\Downstream\Server\3rdParty\jre\NT\1.5.0\bin\java.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\ytbb.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

uStart Page = about:blank

uWindow Title = Windows Internet Explorer provided by Yahoo!

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

mDefault_Page_URL = hxxp://in.yahoo.com/?fr=fp-spt_gen

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

mStart Page = hxxp://in.yahoo.com/?fr=fp-spt_gen

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\15.0.874.120\npchrome_frame.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\sudgupta\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Wclock] c:\program files\wclock\Wclock.exe

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRunOnce: [ypagerps] cmd.exe /C del "c:\progra~1\yahoo!\messen~1\ypagerps.dll"

uRunOnce: [ypagerps1] cmd.exe /C del "c:\progra~1\yahoo!\messen~1\ypagerps1.DLL"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon

mRun: [sgeEcView] c:\program files\utimaco\safeguard easy\Ecview.exe

mRun: [EdWizard] c:\program files\utimaco\safeguard easy\EdWizard.exe as

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

Trusted Zone: ariba.com

Trusted Zone: ariba.com\knowledge

Trusted Zone: aribaasp.com\ppgdev

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://snv-acdcasa/CACHE/stc/1/binaries/stcweb.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://rapgh.ariba.com/CACHE/stc/1/binaries/vpnweb.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192736243968

DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} - hxxps://help.ariba.com/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/VSFlex8.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8AFC9162-C354-4022-9E7E-ED4D41A9A284} - hxxps://sourcepointuat.wellpoint.com/AribaASMUAT/ariba/resource/en_US/lib/clientautomation.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://myconnection.wellpoint.com/dana-cached/sc/JuniperSetupClient.cab

DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} - hxxps://help.ariba.com/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/AeXClipboard.CAB

TCP: Interfaces\{148C1205-685C-4751-A4DD-E06A4304E3F3} : NameServer = 10.1.1.10,10.1.1.11

TCP: Interfaces\{4B9031C3-809E-4AC8-A109-9A14A67A1820} : DhcpNameServer = 192.168.11.1

Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\15.0.874.120\npchrome_frame.dll

Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\program files\quest software\toad for oracle 10.6 freeware\RNetPin.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Notify: NotLog - SGLogEx.dll

Notify: SGLogNotification - SGLogNotification.dll

AppInit_DLLs: AMINIT32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

Hosts: 162.95.80.40 myconnection.wellpoint.com

.

============= SERVICES / DRIVERS ===============

.

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [2007-9-5 19712]

R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2007-9-5 62720]

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-16 26624]

R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2008-7-21 192256]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-3-18 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-3-18 108392]

R2 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;c:\program files\webex\connect\apUpdate.exe [2011-4-11 824120]

R2 IERA;Sierra Wireless Error Reporting Agent;c:\program files\sierra wireless inc\iera\IERA.exe [2011-10-31 152432]

R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\devtools\ora10.2.0\bin\tnslsnr --> c:\devtools\ora10.2.0\bin\TNSLSNR [?]

R2 OracleServiceARIBA;OracleServiceARIBA;c:\devtools\ora10.2.0\bin\oracle.exe ariba --> c:\devtools\ora10.2.0\bin\ORACLE.EXE ARIBA [?]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2011-3-18 1839776]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-6-18 434864]

R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-8 3712]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111114.022\NAVENG.SYS [2011-11-15 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111114.022\NAVEX15.SYS [2011-11-15 1576312]

R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 135664]

S2 OracleDBConsoleARIBA;OracleDBConsoleARIBA;c:\devtools\ora10.2.0\bin\nmesrvc.exe [2010-3-11 24064]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-11-30 23888]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2010-4-23 22136]

S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-10-31 112640]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 135664]

S3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2010-6-21 78720]

S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2010-6-21 201088]

S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2010-6-21 156544]

S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\ct_ztemt_u_usbser.sys --> c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [?]

S4 OracleJobSchedulerARIBA;OracleJobSchedulerARIBA;c:\devtools\ora10.2.0\bin\extjob.exe ariba --> c:\devtools\ora10.2.0\bin\extjob.exe ARIBA [?]

.

=============== Created Last 30 ================

.

2011-11-10 10:34:38 -------- d-----w- C:\Cache

2011-11-10 10:31:53 -------- d-----w- C:\w

2011-11-10 10:31:51 -------- d-----w- C:\skins

2011-11-10 10:31:47 -------- d-----w- C:\e

2011-11-10 10:31:37 -------- d-----w- C:\Data

2011-11-09 11:39:05 -------- d-----w- c:\documents and settings\sudgupta\075014.tmp

2011-11-03 12:22:36 -------- d-----w- c:\program files\RealVNC

2011-10-31 02:28:15 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys

2011-10-31 02:28:15 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys

2011-10-31 02:28:13 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys

2011-10-31 02:28:12 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys

2011-10-31 02:26:12 -------- d-----w- c:\program files\Optus Wireless Broadband

2011-10-30 23:31:42 -------- d--h--w- c:\documents and settings\sudgupta\application data\Sierra Wireless

2011-10-30 23:31:42 -------- d-----w- c:\program files\Sierra Wireless Inc

2011-10-30 23:31:40 -------- d--h--w- c:\documents and settings\all users\application data\Sierra Wireless

2011-10-27 12:54:12 -------- d-----w- c:\program files\BE33A

2011-10-27 12:53:48 -------- d--h--w- c:\documents and settings\sudgupta\application data\YddWWK8fRZ

2011-10-27 12:53:48 -------- d--h--w- c:\documents and settings\sudgupta\application data\rhhhTXXwjUVlItz

2011-10-27 12:53:40 -------- d--h--w- c:\documents and settings\sudgupta\application data\WPPP0yycA1iD3nF

2011-10-27 12:53:39 -------- d--h--w- c:\documents and settings\sudgupta\application data\hibbDD3pnG4QW7R

2011-10-27 12:53:38 -------- d--h--w- c:\documents and settings\sudgupta\application data\C7DBE

2011-10-27 12:53:37 -------- d-----w- c:\program files\LP

2011-10-25 01:46:34 67896 ----a-w- c:\program files\mozilla firefox\plugins\webex\1124\atauthor.exe

2011-10-25 01:46:34 246272 ----a-w- c:\program files\mozilla firefox\plugins\webex\1124\atrpui.dll

2011-10-25 01:46:33 338944 ----a-w- c:\program files\mozilla firefox\plugins\webex\1124\ataudio.dll

2011-10-25 01:46:32 264704 ----a-w- c:\program files\mozilla firefox\plugins\webex\1124\atrecply.dll

2011-10-22 09:15:10 -------- d-----w- c:\program files\ZOHO Corp

2011-10-20 04:44:25 -------- d--h--w- c:\documents and settings\sudgupta\application data\NetSarang

2011-10-20 04:43:06 -------- d-----w- c:\program files\common files\NetSarang

2011-10-20 04:42:56 -------- d--h--w- c:\documents and settings\all users\application data\NetSarang

2011-10-20 04:42:56 -------- d-----w- c:\program files\NetSarang

2011-10-20 01:39:40 -------- d--h--w- c:\documents and settings\sudgupta\application data\Wclock

2011-10-20 01:39:40 -------- d-----w- c:\program files\Wclock

2011-10-20 01:31:41 -------- d-----w- c:\documents and settings\sudgupta\local settings\application data\Clock_22

2011-10-20 01:31:33 -------- d-----w- c:\program files\Clock

2011-10-17 13:33:23 -------- d-----w- c:\documents and settings\sudgupta\local settings\application data\WebEx Connect

2011-10-17 13:33:18 -------- d--h--w- c:\documents and settings\sudgupta\application data\WebEx Connect

.

==================== Find3M ====================

.

2011-10-10 06:14:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 00:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll

2011-09-26 00:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 00:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-31 11:30:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll

2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-08-17 21:32:16 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-17 21:32:15 17408 ----a-w- c:\windows\system32\corpol.dll

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST9160411ASG rev.DE17 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B249AB8]

3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP1T0L0-e[0x8B29A030]

kernel: MBR read successfully

_asm { CLI ; JMP 0x7d; }

user != kernel MBR !!!

.

============= FINISH: 20:45:32.99 ===============

dds.txt

attach.txt

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.