TechSpot

Am I rootkit free? Logs posted

Inactive
By HercTurkey
Mar 16, 2011
Topic Status:
Not open for further replies.
  1. My buddy's Vista found 2 trojans. I have cleaned them, but was wondering if he may also have a rootkit...

    Thanks for looking.


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6071

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    3/15/2011 8:36:59 PM
    mbam-log-2011-03-15 (20-36-59).txt

    Scan type: Quick scan
    Objects scanned: 156633
    Time elapsed: 5 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-03-16 16:29:00
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000004e Maxtor_7 rev.VA13
    Running: h7mb0f2g.exe; Driver: C:\Users\Frank\AppData\Local\Temp\uglcypog.sys


    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74637817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7468A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7463BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7462F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7462E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74668395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7463DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7462FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7462FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [746BCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7465C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7462D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74626853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7462687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74632AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\0000003e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    Device \FileSystem\fastfat \Fat 805DDA7A

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----



    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Frank at 16:37:30.49 on Wed 03/16/2011
    Internet Explorer: 8.0.6001.19019
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.322 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Macrium\Reflect\ReflectService.exe
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Frank\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [<NO NAME>]
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    Trusted Zone: dell.com\smartsource
    DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\frank\appdata\roaming\mozilla\firefox\profiles\6162rs3n.default\
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]
    R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2010-6-9 21728]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
    R1 MpKsl92e12f83;MpKsl92e12f83;c:\programdata\microsoft\microsoft antimalware\definition updates\{2a39ed9a-2432-42ef-a4ca-5657a44d6436}\MpKsl92e12f83.sys [2011-3-16 28752]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-10 21504]
    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]
    R2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2010-6-9 278528]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2010-6-9 671736]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-6-10 54632]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
    S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2010-6-9 34064]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-03-16 21:32:36 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{2a39ed9a-2432-42ef-a4ca-5657a44d6436}\MpKsl92e12f83.sys
    2011-03-16 04:38:18 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{2a39ed9a-2432-42ef-a4ca-5657a44d6436}\mpengine.dll
    2011-03-16 01:30:47 -------- d-----w- c:\users\frank\appdata\roaming\Malwarebytes
    2011-03-16 01:30:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-16 01:30:41 -------- d-----w- c:\progra~2\Malwarebytes
    2011-03-16 01:30:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-16 01:30:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-08 21:38:07 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-08 21:38:07 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-08 21:38:06 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-08 21:38:05 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-08 21:38:04 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-08 21:38:04 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-02-21 06:15:23 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{7c34eac6-4171-478a-b8d7-2c48d414a20e}\gapaengine.dll
    2011-02-21 02:35:10 -------- d-----w- c:\windows\Temp2F7B24AD-1842-7E16-0944-B2375E5AD188-Signatures
    2011-02-21 02:34:14 -------- d-----w- c:\program files\Microsoft Security Client
    2011-02-21 02:33:31 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    .
    ==================== Find3M ====================
    .
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 16:38:00.48 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/9/2010 5:59:29 PM
    System Uptime: 3/16/2011 4:32:09 PM (0 hours ago)
    .
    Motherboard: Dell Inc | | 0HY175
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket M2 | 2000/1000mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 166 GiB total, 120.512 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 3.296 GiB free.
    E: is FIXED (NTFS) - 56 GiB total, 4.711 GiB free.
    F: is CDROM ()
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    K: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Broadcom 440x 10/100 Integrated Controller
    Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01F41028&REV_02\4&DC268A3&0&3880
    Manufacturer: Broadcom
    Name: Broadcom 440x 10/100 Integrated Controller
    PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01F41028&REV_02\4&DC268A3&0&3880
    Service: bcm4sbxp
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    7-Zip 9.13 beta
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    BufferChm
    Cards_Calendar_OrderGift_DoMorePlugout
    CCleaner
    Copy
    Defraggler
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    Fax
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Imaging Device Functions 10.0
    HP Photosmart C4340 All-In-One Driver Software 10.0 Rel .3
    HP Photosmart Essential 2.5
    HPPhotoSmartPhotobookWebPack1
    iTunes
    Junk Mail filter update
    KeePass Password Safe 2.10
    Macrium Reflect - Free Edition
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.6.15)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NETGEAR WNDA3100v2 wireless USB 2.0 adapter
    Notepad++
    NVIDIA Drivers
    OCR Software by I.R.I.S. 10.0
    PanoStandAlone
    Picasa 3
    PS_AIO_03_C4340_ProductContext
    PS_AIO_03_C4340_Software
    PS_AIO_03_C4340_Software_Min
    PSSWCORE
    QuickTime
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    SigmaTel Audio
    Sonic Activation Module
    Speccy
    SpywareBlaster 4.4
    Status
    Toolbox
    TrayApp
    UnloadSupport
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VideoToolkit01
    WebReg
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! The problem with third party help is that I have to ask you and you have to ask him-or her!

    1. Why are you wondering this? Does the system show any problems that could be related to malware?
    2. How were the Trojans found? By security program? (Actually it wasn't 'his Vista' that found them- Vista is an operating system, not a security program.)
    3. Where were the Trojans found? In a document? In email?
    4. Do you remember name of the Trojans and were they actually 'Trojans or other malware?
    =============================================
    Nothing is evident in these logs, but that doesn't rule out a rootkit or other malware. Without any information about the system or source of 'Trojans', I'll have you run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =====================================
    Download Combofix from HERE or HERE and save it to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  3. HercTurkey

    HercTurkey TS Rookie Topic Starter

    I believe the breach was a 'curiosity' link in an email that he received from his brother. Of course he clicked it, and mysterious downloads occurred. I found one version in his download folder and I used MS Security Essentials to clean it. MSSE found a few copies of the second version in various caches. I do not have the names/locations handy, but I will update the post when I do the work you have requested. MSSE identified them as 'trojan'. Right now the system looks normal, it was crashing with BSOD and it did not look like it was updating. I don't think the nightly scheduled virus scan was working either. It updated as soon as it was cleaned, I will check the logs to see if the maintenance is running now.

    By 'Vista' I meant his machine running Vista not necessarily just the OS. I'm just a lazy typer. ;)

    Thanks for checking the logs, I will get the work done 2nite and post the results.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, post when ready.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.