laptop might be infected

View previous topic View next topic Go down

laptop might be infected

Post by LordZet on Fri 25 Sep 2009, 12:09 pm

A site I go to was just hacked today and I didn't know it and i do believe I may have become infected. I got a pop up and a redirect to a fake scanner, but when i closed FF nothing happened and it didn't isntall and no processes showed up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:25 AM, on 9/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4220 bytes

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Belahzur on Fri 25 Sep 2009, 3:34 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Fri 25 Sep 2009, 5:18 pm

Malwarebytes' Anti-Malware 1.41
Database version: 2860
Windows 6.0.6001 Service Pack 1

9/25/2009 3:17:42 PM
mbam-log-2009-09-25 (15-17-42).txt

Scan type: Quick Scan
Objects scanned: 79654
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Palmer\AppData\Local\Temp\xranwmcoes.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Palmer\AppData\Local\Temp\xwrnasmeco.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Palmer\AppData\Local\Temp\nrwxsecmao.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Palmer\AppData\Local\Temp\rnsaxmecow.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Palmer\AppData\Local\Temp\aoewncsxmr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Palmer\AppData\Local\Temp\awrxsncemo.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Palmer\list.txt (Malware.Trace) -> Quarantined and deleted successfully.

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Belahzur on Fri 25 Sep 2009, 5:38 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Fri 25 Sep 2009, 5:50 pm

DDS (Ver_09-09-24.01) - NTFSx86
Run by Palmer at 15:47:56.89 on Fri 09/25/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1142 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Palmer\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - [You must be registered and logged in to see this link.]
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\palmer\appdata\roaming\mozilla\firefox\profiles\pce2rwvg.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-25 108289]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-9 193840]

=============== Created Last 30 ================

2009-09-25 15:25 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-25 15:25 --d----- c:\programdata\Avira
2009-09-25 15:25 --d----- c:\program files\Avira
2009-09-25 15:25 --d----- c:\progra~2\Avira
2009-09-25 15:12 --d----- c:\users\palmer\appdata\roaming\Malwarebytes
2009-09-25 15:12 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 15:12 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-25 15:12 --d----- c:\programdata\Malwarebytes
2009-09-25 15:12 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-25 15:12 --d----- c:\progra~2\Malwarebytes
2009-09-23 09:41 --d--r-- c:\program files\Skype
2009-09-21 00:18 --d----- c:\programdata\Apple Computer
2009-09-21 00:18 --d----- c:\programdata\Apple
2009-09-20 21:51 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-09-20 21:51 499,712 a------- c:\windows\system32\kerberos.dll
2009-09-20 21:51 270,848 a------- c:\windows\system32\schannel.dll
2009-09-20 21:51 213,504 a------- c:\windows\system32\msv1_0.dll
2009-09-20 21:51 175,104 a------- c:\windows\system32\wdigest.dll
2009-09-20 21:51 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-09-20 21:51 72,704 a------- c:\windows\system32\secur32.dll
2009-09-20 21:51 9,728 a------- c:\windows\system32\lsass.exe
2009-09-09 10:01 2,868,224 a------- c:\windows\system32\mf.dll
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-09-01 08:54 --d----- c:\users\palmer\Tracing
2009-09-01 08:54 --d----- c:\program files\Microsoft
2009-09-01 08:53 --d----- c:\program files\Windows Live SkyDrive
2009-09-01 08:53 --d----- c:\windows\PCHEALTH
2009-08-30 11:06 56 a---h--- c:\programdata\ezsidmv.dat
2009-08-30 11:06 56 a---h--- c:\progra~2\ezsidmv.dat
2009-08-30 11:01 --d----- c:\programdata\Skype

==================== Find3M ====================

2009-09-25 15:20 27,934 a------- c:\programdata\nvModes.dat
2009-09-25 15:20 27,934 a------- c:\progra~2\nvModes.dat
2009-08-14 12:07 897,608 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 11:29 104,960 a------- c:\windows\system32\netiohlp.dll
2009-08-14 11:29 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:16 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:16 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:16 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:16 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:16 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:16 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:16 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-18 11:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 11:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 04:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 09:35 71,680 a------- c:\windows\system32\atl.dll
2009-07-14 08:00 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-14 07:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-14 07:58 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-14 05:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-11 14:32 513,024 a------- c:\windows\system32\wlansvc.dll
2009-07-11 14:32 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 14:32 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 14:29 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-03-10 03:00 51,200 a------- c:\windows\inf\infpub.dat
2009-03-10 03:00 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-09 21:19 86,016 a------- c:\windows\inf\infstor.dat
2009-02-09 19:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:48:49.23 ===============

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Belahzur on Fri 25 Sep 2009, 9:13 pm

Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight Java(TM) 6 Update 12
  • Click on the Uninstall/Change button at the top.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Fri 25 Sep 2009, 9:51 pm

I don't notice any difference.

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Belahzur on Sat 26 Sep 2009, 3:54 pm

Hello.
This doesn't look too bad. MBAM found some malicious files, but only in temp folder location, and DDS looks okay. Speed wise you probably wont notice any difference, but there doesn't appear to be any malware hiding.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Sat 26 Sep 2009, 4:24 pm

Oh good...then it really is my laptop. Here I was hoping it wasn't.

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Belahzur on Sat 26 Sep 2009, 4:34 pm

Hold on, I didn't say I gave up yet.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Sat 26 Sep 2009, 8:24 pm

Oh, I thought I was done and it really was my laptop that wasn't working. I thought it was a virus taht was causing it to overheat a lot...turns out i was wrong and my fan is broken Crying

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Belahzur on Sat 26 Sep 2009, 8:39 pm

Darn. Problem is it's gonna be hard to fix that being a laptop, it's hard to access the fan area. You'll have to take it to a computer shop and let them take it apart.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Mon 28 Sep 2009, 11:43 am

GMER 1.0.15.15087 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-28 09:41:56
Windows 6.0.6001 Service Pack 1
Running: 628l5x7d.exe; Driver: C:\Users\Palmer\AppData\Local\Temp\ufryapoc.sys


---- System - GMER 1.0.15 ----

SSDT A3FC1FBC ZwCreateThread
SSDT A3FC1FA8 ZwOpenProcess
SSDT A3FC1FAD ZwOpenThread
SSDT A3FC1FB7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 454 81CFEA18 4 Bytes [BC, 1F, FC, A3]
.text ntkrnlpa.exe!KeSetTimerEx + 624 81CFEBE8 4 Bytes [A8, 1F, FC, A3]
.text ntkrnlpa.exe!KeSetTimerEx + 640 81CFEC04 4 Bytes [AD, 1F, FC, A3]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81CFEE18 4 Bytes [B7, 1F, FC, A3]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Origin on Mon 28 Sep 2009, 11:45 am

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hȋdden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Mon 28 Sep 2009, 1:29 pm

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No hȋdden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8C476000
Module End: 8C481000
hȋdden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 8C481000
Module End: 8C489000
hȋdden: Yes

Module Name: \??\C:\Users\Palmer\AppData\Local\Temp\ufryapoc.sys
Service Name: ufryapoc
Module Base: 971CF000
Module End: 971E4000
hȋdden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateThread
Address: A3FC1FBC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: A3FC1FA8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: A3FC1FAD
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: A3FC1FB7
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: PALMER-PC.GATEWAY.2WIRE.NET:49322
Remote Address: 185-131.AMAZON.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PALMER-PC.GATEWAY.2WIRE.NET:49319
Remote Address: GX-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PALMER-PC.GATEWAY.2WIRE.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PALMER-PC:49299
Remote Address: LOCALHOST:49298
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PALMER-PC:49298
Remote Address: LOCALHOST:49299
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PALMER-PC:49297
Remote Address: LOCALHOST:49296
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PALMER-PC:49296
Remote Address: LOCALHOST:49297
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PALMER-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING

Local Address: PALMER-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING

Local Address: PALMER-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: PALMER-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: PALMER-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING

Local Address: PALMER-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PALMER-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PALMER-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: PALMER-PC.GATEWAY.2WIRE.NET:53585
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: PALMER-PC.GATEWAY.2WIRE.NET:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: PALMER-PC.GATEWAY.2WIRE.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PALMER-PC.GATEWAY.2WIRE.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PALMER-PC:53586
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: PALMER-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: PALMER-PC:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: PALMER-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: PALMER-PC:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: PALMER-PC:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
No hȋdden files/folders found

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Re: laptop might be infected

Post by Belahzur on Mon 28 Sep 2009, 3:11 pm

Hello.
As said before, there isn't anything we can do here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: laptop might be infected

Post by LordZet on Mon 28 Sep 2009, 4:44 pm

My laptop only overheats when I play games. I'm assuming geeksquad messed my laptop up cause it never did this before the HDD crash. Ah well, it sucked for gaming either way. Now all I have to do is find a way to activate my vista.

Alrite, are we cleaned up?

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum