Title: [Solved] Windows infection: please help a security newbie
Post by: dree12 on July 22, 2012, 09:58:10 PM
My computer with Bitcoin on it has become infected. There isn't anything of value to worry about. The wallet is encrypted and backed-up. And, I doubt the malware currently infecting the system is interested in stealing it anyways. Right now, I'm more interested in salvaging the system (a clean install is likely to be both time-consuming and overwrite many files I didn't consider important enough to backup into my limited 4GB thumb drive). I suspect the culprit is a rootkit. Neither Kaspersky's TDSSKiller nor Systematec's ZeroAccess rootkit killer found anything though. Malwarebytes is taking a long time to scan, and is at 2 infected objects found. I suspect Microsoft Safety Scanner has found the same two items. How the malware bypassed UAC is unknown. The websites I visit should mostly come from the "safe sector of the net", and no websites in history are immediately suspicious. However, I do notice that "Adobe installation helper" has recently been run. This is the most likely culprit. The symptoms of the infection are diverse. I'll try to list some of the most obvious ones below: - The system is extremely slow and input is often interupted.
- Some services are missing (not stopped, but gone): Background Intelligent Transfer, Microsoft Antispyware, Windows Update, and Windows Firewall (probably more).
- As a consequence, MSE, Windows Firewall, and Windows Update are disabled and cannot be enabled.
- Google and Bing search results are sometimes randomly redirected to garbage websites.
My system is an genuine Windows 7 Professional install. Any help would be greatly appreciated.
Title: Re: Windows infection: please help a security newbie
Post by: Raoul Duke on July 22, 2012, 10:04:47 PM
Run this http://www.surfright.nl/en/hitmanpro/
No installation is needed so it may save your day
Title: Re: Windows infection: please help a security newbie
Post by: finkleshnorts on July 22, 2012, 10:30:16 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
Title: Re: Windows infection: please help a security newbie
Post by: unclemantis on July 22, 2012, 10:38:27 PM
I really need to get around to just biting the bullet and run nothing but linux
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 22, 2012, 11:03:33 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security :). Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
Running GMER right now. Meanwhile, I'm copying the files I mentioned to a USB key. Hopefully this works.
Title: Re: Windows infection: please help a security newbie
Post by: amencon on July 22, 2012, 11:04:21 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge.
As for your current infection Malwarebytes and combofix are a good start. The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
Title: Re: Windows infection: please help a security newbie
Post by: finkleshnorts on July 22, 2012, 11:11:02 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security :). I consider myself lucky that they didn't get into my wallet or private keys (ditched those). The VISA refund was nice, too. Good luck!
Title: Re: Windows infection: please help a security newbie
Post by: myrkul on July 22, 2012, 11:13:06 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge. This^ Ever since I switched to Firefox+Noscript, the only experiences I've had with malware of any sort is clearing it off my friends' computers.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 22, 2012, 11:42:26 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge.
As for your current infection Malwarebytes and combofix are a good start. The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
Thanks. The hosts file is normal. The computer recently bluescreened, bringing Malwarebytes down with it (it's running again). Combofix isn't working (can't write "iexplore.exe"). I'm backing up the other important things now, in case worse goes to worse and a fresh install is necessary.
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 22, 2012, 11:43:31 PM
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.
Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.
After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.
Cheers
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 22, 2012, 11:51:10 PM
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer. I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first. If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders. If all else fails, post us a copy of your Hijack This log. cheers
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 23, 2012, 12:03:09 AM
Have you tried running rootkit revealer?
Really!! Mark still keeps this tool up to date, I thought he stopped developing it in 2008? Do them all in safe mode first. Some infections run even in safe mode, so this is not a solution.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 12:08:53 AM
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.
Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.
After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.
Cheers
Noted. Malwarebytes is running fine. If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer. I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first. If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders. If all else fails, post us a copy of your Hijack This log. cheers Rootkit revealer doesn't work on Windows 7. Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect). I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:21:21 AM
Do them all in safe mode first. Some infections run even in safe mode, so this is not a solution. It is not a solution. it's the right way to do it.. Sorry, I also did not realize this thread was supposed to be a tech support 'wang off'. ;p
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:28:43 AM
Rootkit revealer doesn't work on Windows 7. Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect). I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase. What is this; O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep Nothing else stands out to me atleast.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:30:57 AM
If you do feel the need to move your coins, be sure to do it from a clean computer.
Did you mention the spec on your machine?
What processor, ram, vid card?
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 12:34:45 AM
Rootkit revealer doesn't work on Windows 7. Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect). I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase. What is this; O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep Nothing else stands out to me atleast. Do I "fix" it? If you do feel the need to move your coins, be sure to do it from a clean computer.
Did you mention the spec on your machine?
What processor, ram, vid card?
DxDiag output: ------------------
System Information
------------------
Time of this report: 7/22/2012, 20:32:16
Machine name: ~-PC
Operating System: Windows 7 Professional 32-bit (6.1, Build 7601) Service Pack 1 (7601.win7sp1_gdr.120330-1504)
Language: English (Regional Setting: English)
System Manufacturer: Dell Inc.
System Model: Inspiron 1545
BIOS: Phoenix ROM BIOS PLUS Version 1.10 A07
Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz (2 CPUs), ~2.0GHz
Memory: 3072MB RAM
Available OS Memory: 3034MB RAM
Page File: 2120MB used, 3946MB available
Windows Dir: C:\Windows
DirectX Version: DirectX 11
DX Setup Parameters: Not found
User DPI Setting: Using System DPI
System DPI Setting: 96 DPI (100 percent)
DWM DPI Scaling: Disabled
DxDiag Version: 6.01.7601.17514 32bit Unicode
------------
DxDiag Notes
------------
Display Tab 1: No problems found.
Sound Tab 1: No problems found.
Input Tab: No problems found.
--------------------
DirectX Debug Levels
--------------------
Direct3D: 0/4 (retail)
DirectDraw: 0/4 (retail)
DirectInput: 0/5 (retail)
DirectMusic: 0/5 (retail)
DirectPlay: 0/9 (retail)
DirectSound: 0/5 (retail)
DirectShow: 0/6 (retail)
---------------
Display Devices
---------------
Card name: Mobile Intel(R) 4 Series Express Chipset Family
Manufacturer: Intel Corporation
Chip type: Mobile Intel(R) 4 Series Express Chipset Family
DAC type: Internal
Device Key: Enum\PCI\VEN_8086&DEV_2A42&SUBSYS_02AA1028&REV_07
Display Memory: 1325 MB
Dedicated Memory: 64 MB
Shared Memory: 1261 MB
Current Mode: 1366 x 768 (32 bit) (60Hz)
Monitor Name: Generic PnP Monitor
Monitor Model: unknown
Monitor Id: SEC5441
Native Mode: 1366 x 768(p) (59.998Hz)
Output Type: Internal
Driver Name: igdumdx32.dll,igd10umd32.dll
Driver File Version: 8.15.0010.2302 (English)
Driver Version: 8.15.10.2302
DDI Version: 10
Driver Model: WDDM 1.1
Driver Attributes: Final Retail
Driver Date/Size: 2/11/2011 19:09:48, 571904 bytes
WHQL Logo'd: Yes
WHQL Date Stamp:
Device Identifier: {D7B78E66-6902-11CF-667B-A022A7C2C535}
Vendor ID: 0x8086
Device ID: 0x2A42
SubSys ID: 0x02AA1028
Revision ID: 0x0007
Driver Strong Name: oem23.inf:Intel.Mfg:iCNT0:8.15.10.2302:pci\ven_8086&dev_2a42
Rank Of Driver: 00E62001
Video Accel: ModeMPEG2_A ModeMPEG2_C ModeWMV9_B ModeWMV9_C ModeVC1_B ModeVC1_C
Deinterlace Caps: {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
{BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
{BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
{BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
{BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
{BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
{BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
{BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering
{335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch
{5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend
D3D9 Overlay: Supported
DXVA-HD: Supported
DDraw Status: Enabled
D3D Status: Enabled
AGP Status: Enabled
-------------
Sound Devices
-------------
Description: Speakers (High Definition Audio Device)
Default Sound Playback: Yes
Default Voice Playback: Yes
Hardware ID: HDAUDIO\FUNC_01&VEN_111D&DEV_76B2&SUBSYS_102802AA&REV_1003
Manufacturer ID: 1
Product ID: 65535
Type: WDM
Driver Name: HdAudio.sys
Driver Version: 6.01.7601.17514 (English)
Driver Attributes: Final Retail
WHQL Logo'd: Yes
Date and Size: 11/20/2010 06:00:21, 304128 bytes
Other Files:
Driver Provider: Microsoft
HW Accel Level: Basic
Cap Flags: 0xF1F
Min/Max Sample Rate: 100, 200000
Static/Strm HW Mix Bufs: 1, 0
Static/Strm HW 3D Bufs: 0, 0
HW Memory: 0
Voice Management: No
EAX(tm) 2.0 Listen/Src: No, No
I3DL2(tm) Listen/Src: No, No
Sensaura(tm) ZoomFX(tm): No
---------------------
Sound Capture Devices
---------------------
Description: Microphone (High Definition Audio Device)
Default Sound Capture: Yes
Default Voice Capture: Yes
Driver Name: HdAudio.sys
Driver Version: 6.01.7601.17514 (English)
Driver Attributes: Final Retail
Date and Size: 11/20/2010 06:00:21, 304128 bytes
Cap Flags: 0x1
Format Flags: 0xFFFFF
-------------------
DirectInput Devices
-------------------
Device Name: Mouse
Attached: 1
Controller ID: n/a
Vendor/Product ID: n/a
FF Driver: n/a
Device Name: Keyboard
Attached: 1
Controller ID: n/a
Vendor/Product ID: n/a
FF Driver: n/a
Device Name: Microsoft Hardware USB Mouse
Attached: 1
Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
FF Driver: n/a
Device Name: Micr
Attached: 1
Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
FF Driver: n/a
Device Name: Micr
Attached: 1
Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
FF Driver: n/a
Device Name: Micr
Attached: 1
Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
FF Driver: n/a
Device Name: Micr
Attached: 1
Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
FF Driver: n/a
Poll w/ Interrupt: No
-----------
USB Devices
-----------
+ USB Root Hub
| Vendor/Product ID: 0x8086, 0x2936
| Matching Device ID: usb\root_hub
| Service: usbhub
| Driver: usbhub.sys, 3/24/2011 22:58:37, 258560 bytes
| Driver: usbd.sys, 3/24/2011 22:57:53, 5888 bytes
----------------
Gameport Devices
----------------
------------
PS/2 Devices
------------
+ Standard PS/2 Keyboard
| Matching Device ID: *pnp0303
| Service: i8042prt
| Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes
| Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes
|
+ HID Keyboard Device
| Vendor/Product ID: 0x045E, 0x0745
| Matching Device ID: hid_device_system_keyboard
| Service: kbdhid
| Driver: kbdhid.sys, 11/20/2010 05:50:10, 28160 bytes
| Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes
|
+ Terminal Server Keyboard Driver
| Matching Device ID: root\rdp_kbd
| Upper Filters: kbdclass
| Service: TermDD
| Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes
| Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes
|
+ PS/2 Compatible Mouse
| Matching Device ID: *pnp0f13
| Service: i8042prt
| Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
|
+ Microsoft USB Dual Receiver Wireless Mouse (IntelliPoint)
| Vendor/Product ID: 0x045E, 0x0745
| Matching Device ID: hid\vid_045e&pid_0745&mi_01&col01
| Upper Filters: Point32
| Service: mouhid
| Driver: point32.sys, 8/1/2011 15:56:42, 40936 bytes
| Driver: mouhid.sys, 7/13/2009 19:45:08, 26112 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
| Driver: wdfcoinstaller01009.dll, 7/7/2010 18:18:56, 1461992 bytes
|
+ HID-compliant mouse
| Vendor/Product ID: 0x413C, 0x3016
| Matching Device ID: hid_device_system_mouse
| Service: mouhid
| Driver: mouhid.sys, 7/13/2009 19:45:08, 26112 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
|
+ Terminal Server Mouse Driver
| Matching Device ID: root\rdp_mou
| Upper Filters: mouclass
| Service: TermDD
| Driver: termdd.sys, 11/20/2010 08:30:12, 53120 bytes
| Driver: sermouse.sys, 7/13/2009 19:45:08, 19968 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
------------------------
Disk & DVD/CD-ROM Drives
------------------------
Drive: C:
Free Space: 35.9 GB
Total Space: 137.6 GB
File System: NTFS
Model: ST9160310AS
Drive: E:
Free Space: 0.0 GB
Total Space: 15.0 GB
File System: NTFS
Model: ST9160310AS
Drive: G:
Model: Kingston DTVault Privacy USB Device
Driver: c:\windows\system32\drivers\cdrom.sys, 6.01.7601.17514 (English), 11/20/2010 04:38:10, 108544 bytes
Drive: D:
Model: Optiarc DVD+-RW AD-7580S
Driver: c:\windows\system32\drivers\cdrom.sys, 6.01.7601.17514 (English), 11/20/2010 04:38:10, 108544 bytes
--------------
System Devices
--------------
Name: Intel(R) ICH9 Family PCI Express Root Port 1 - 2940
Device ID: PCI\VEN_8086&DEV_2940&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E0
Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2935
Device ID: PCI\VEN_8086&DEV_2935&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E9
Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: High Definition Audio Controller
Device ID: PCI\VEN_8086&DEV_293E&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D8
Driver: C:\Windows\system32\DRIVERS\hdaudbus.sys, 6.01.7601.17514 (English), 11/20/2010 05:59:29, 108544 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2934
Device ID: PCI\VEN_8086&DEV_2934&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E8
Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Mobile Intel(R) 4 Series Express Chipset Family
Device ID: PCI\VEN_8086&DEV_2A43&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&11
Driver: n/a
Name: Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293C
Device ID: PCI\VEN_8086&DEV_293C&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D7
Driver: C:\Windows\system32\drivers\usbehci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:58, 43008 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) ICH9 Family SMBus Controller - 2930
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&FB
Driver: n/a
Name: Mobile Intel(R) 4 Series Express Chipset Family
Device ID: PCI\VEN_8086&DEV_2A42&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&10
Driver: C:\Windows\system32\DRIVERS\igdkmd32.sys, 8.15.0010.2302 (English), 2/11/2011 19:12:16, 9036800 bytes
Driver: C:\Windows\system32\igdumd32.dll, 8.15.0010.2302 (English), 2/11/2011 19:12:16, 4967424 bytes
Driver: C:\Windows\system32\igkrng500.bin, 4/21/2010 18:08:14, 982240 bytes
Driver: C:\Windows\system32\igcompkrng500.bin, 4/21/2010 18:08:14, 439308 bytes
Driver: C:\Windows\system32\igfcg500m.bin, 4/21/2010 18:08:14, 92356 bytes
Driver: C:\Windows\system32\iglhxs32.vp, 2/11/2011 19:42:52, 51636 bytes
Driver: C:\Windows\system32\iglhxo32.vp, 4/21/2010 17:22:50, 60015 bytes
Driver: C:\Windows\system32\iglhxc32.vp, 4/21/2010 17:22:50, 60226 bytes
Driver: C:\Windows\system32\iglhxg32.vp, 4/21/2010 17:22:52, 60254 bytes
Driver: C:\Windows\system32\iglhxa32.vp, 4/21/2010 17:22:50, 1090 bytes
Driver: C:\Windows\system32\iglhxa32.cpa, 4/21/2010 17:22:50, 1921265 bytes
Driver: C:\Windows\system32\iglhcp32.dll, 1.05.0002.0001 (English), 2/11/2011 18:35:00, 147456 bytes
Driver: C:\Windows\system32\iglhsip32.dll, 1.05.0002.0001 (English), 2/11/2011 18:35:00, 208896 bytes
Driver: C:\Windows\system32\hccutils.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:48, 95232 bytes
Driver: C:\Windows\system32\igfxsrvc.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:12, 57856 bytes
Driver: C:\Windows\system32\igfxsrvc.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:30, 267800 bytes
Driver: C:\Windows\system32\igfxpph.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 195584 bytes
Driver: C:\Windows\system32\igfxcpl.cpl, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 115200 bytes
Driver: C:\Windows\system32\igfxdev.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 228864 bytes
Driver: C:\Windows\system32\igfxdo.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:56, 130048 bytes
Driver: C:\Windows\system32\igfxtray.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:32, 137752 bytes
Driver: C:\Windows\system32\hkcmd.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:26, 171032 bytes
Driver: C:\Windows\system32\igfxress.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 828928 bytes
Driver: C:\Windows\system32\igfxpers.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:30, 172568 bytes
Driver: C:\Windows\system32\igfxTMM.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 261632 bytes
Driver: C:\Windows\system32\TVWSetup.exe, 1.00.0001.0000 (English), 2/11/2011 19:26:38, 8198680 bytes
Driver: C:\Windows\system32\gfxSrvc.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:42, 120320 bytes
Driver: C:\Windows\system32\GfxUI.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:22, 3157528 bytes
Driver: C:\Windows\system32\GfxUI.exe.config, 4/21/2010 17:29:46, 151 bytes
Driver: C:\Windows\system32\IGFXDEVLib.dll, 1.00.0000.0000 (Invariant Language), 2/11/2011 18:40:40, 4096 bytes
Driver: C:\Windows\system32\igfxext.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:28, 179224 bytes
Driver: C:\Windows\system32\igfxexps.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:28, 23552 bytes
Driver: C:\Windows\system32\igfxrara.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 84480 bytes
Driver: C:\Windows\system32\igfxrchs.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 81920 bytes
Driver: C:\Windows\system32\igfxrcht.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 81920 bytes
Driver: C:\Windows\system32\igfxrdan.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 84992 bytes
Driver: C:\Windows\system32\igfxrdeu.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86016 bytes
Driver: C:\Windows\system32\igfxrenu.lrc, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 85504 bytes
Driver: C:\Windows\system32\igfxresn.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86528 bytes
Driver: C:\Windows\system32\igfxrfin.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 85504 bytes
Driver: C:\Windows\system32\igfxrfra.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86528 bytes
Driver: C:\Windows\system32\igfxrheb.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 84480 bytes
Driver: C:\Windows\system32\igfxrita.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 86016 bytes
Driver: C:\Windows\system32\igfxrjpn.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 82944 bytes
Driver: C:\Windows\system32\igfxrkor.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 82944 bytes
Driver: C:\Windows\system32\igfxrnld.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86016 bytes
Driver: C:\Windows\system32\igfxrnor.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 85504 bytes
Driver: C:\Windows\system32\igfxrplk.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 86016 bytes
Driver: C:\Windows\system32\igfxrptb.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 85504 bytes
Driver: C:\Windows\system32\igfxrptg.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86016 bytes
Driver: C:\Windows\system32\igfxrrus.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86016 bytes
Driver: C:\Windows\system32\igfxrsky.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 86016 bytes
Driver: C:\Windows\system32\igfxrslv.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 85504 bytes
Driver: C:\Windows\system32\igfxrsve.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 85504 bytes
Driver: C:\Windows\system32\igfxrtha.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 84992 bytes
Driver: C:\Windows\system32\igfxrcsy.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 85504 bytes
Driver: C:\Windows\system32\igfxrell.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 86528 bytes
Driver: C:\Windows\system32\igfxrhun.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 85504 bytes
Driver: C:\Windows\system32\igfxrtrk.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 85504 bytes
Driver: C:\Windows\system32\Gfxres.ar-SA.resources, 2/11/2011 18:44:12, 139851 bytes
Driver: C:\Windows\system32\Gfxres.cs-CZ.resources, 2/11/2011 18:44:14, 118687 bytes
Driver: C:\Windows\system32\Gfxres.da-DK.resources, 2/11/2011 18:44:14, 114203 bytes
Driver: C:\Windows\system32\Gfxres.de-DE.resources, 2/11/2011 18:44:16, 122651 bytes
Driver: C:\Windows\system32\Gfxres.el-GR.resources, 2/11/2011 18:44:16, 178349 bytes
Driver: C:\Windows\system32\Gfxres.es-ES.resources, 2/11/2011 18:44:18, 122869 bytes
Driver: C:\Windows\system32\Gfxres.en-US.resources, 8/25/2010 20:02:24, 110156 bytes
Driver: C:\Windows\system32\Gfxres.fi-FI.resources, 2/11/2011 18:44:20, 118639 bytes
Driver: C:\Windows\system32\Gfxres.fr-FR.resources, 2/11/2011 18:44:20, 120742 bytes
Driver: C:\Windows\system32\Gfxres.he-IL.resources, 2/11/2011 18:44:22, 133688 bytes
Driver: C:\Windows\system32\Gfxres.hu-HU.resources, 2/11/2011 18:44:22, 119558 bytes
Driver: C:\Windows\system32\Gfxres.it-IT.resources, 2/11/2011 18:44:24, 125500 bytes
Driver: C:\Windows\system32\Gfxres.ja-JP.resources, 2/11/2011 18:44:24, 136343 bytes
Driver: C:\Windows\system32\Gfxres.ko-KR.resources, 2/11/2011 18:44:26, 123172 bytes
Driver: C:\Windows\system32\Gfxres.nb-NO.resources, 2/11/2011 18:44:28, 114794 bytes
Driver: C:\Windows\system32\Gfxres.nl-NL.resources, 2/11/2011 18:44:28, 119528 bytes
Driver: C:\Windows\system32\Gfxres.pl-PL.resources, 2/11/2011 18:44:30, 118351 bytes
Driver: C:\Windows\system32\Gfxres.pt-BR.resources, 2/11/2011 18:44:30, 120308 bytes
Driver: C:\Windows\system32\Gfxres.pt-PT.resources, 2/11/2011 18:44:32, 119009 bytes
Driver: C:\Windows\system32\Gfxres.ru-RU.resources, 2/11/2011 18:44:32, 165337 bytes
Driver: C:\Windows\system32\Gfxres.sk-SK.resources, 2/11/2011 18:44:34, 118000 bytes
Driver: C:\Windows\system32\Gfxres.sl-SI.resources, 2/11/2011 18:44:36, 114314 bytes
Driver: C:\Windows\system32\Gfxres.sv-SE.resources, 2/11/2011 18:44:36, 119302 bytes
Driver: C:\Windows\system32\Gfxres.th-TH.resources, 2/11/2011 18:44:38, 189494 bytes
Driver: C:\Windows\system32\Gfxres.tr-TR.resources, 2/11/2011 18:44:38, 121115 bytes
Driver: C:\Windows\system32\Gfxres.zh-CN.resources, 2/11/2011 18:44:40, 102825 bytes
Driver: C:\Windows\system32\Gfxres.zh-TW.resources, 2/11/2011 18:44:40, 103986 bytes
Driver: C:\Windows\system32\ig4icd32.dll, 8.15.0010.2302 (English), 2/11/2011 18:51:10, 11039744 bytes
Driver: C:\Windows\system32\igd10umd32.dll, 8.15.0010.2302 (English), 2/11/2011 19:04:40, 4411392 bytes
Driver: C:\Windows\system32\d3dx10_40.dll, 9.24.0950.2656 (English), 8/13/2009 22:09:44, 452440 bytes
Driver: C:\Windows\system32\igdumdx32.dll, 8.15.0010.2302 (English), 2/11/2011 19:09:48, 571904 bytes
Driver: C:\Windows\system32\igfxCoIn_v2302.dll, 1.02.0030.0000 (English), 2/11/2011 19:20:00, 81920 bytes
Name: Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293A
Device ID: PCI\VEN_8086&DEV_293A&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&EF
Driver: C:\Windows\system32\drivers\usbehci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:58, 43008 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) ICH9M-E/M SATA AHCI Controller
Device ID: PCI\VEN_8086&DEV_2929&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&FA
Driver: C:\Windows\system32\DRIVERS\iaStor.sys, 10.05.0000.1029 (English), 6/15/2011 09:00:28, 461080 bytes
Driver: C:\Windows\system32\RSTCoin.dll, 1.03.0001.0000 (English), 6/15/2011 09:20:52, 105240 bytes
Driver: C:\Windows\RST_UI.cab, , 0 bytes
Name: Mobile Intel(R) 4 Series Chipset Processor to DRAM Controller - 2A40
Device ID: PCI\VEN_8086&DEV_2A40&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&00
Driver: n/a
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2939
Device ID: PCI\VEN_8086&DEV_2939&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D2
Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) ICH9M LPC Interface Controller - 2919
Device ID: PCI\VEN_8086&DEV_2919&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&F8
Driver: C:\Windows\system32\DRIVERS\msisadrv.sys, 6.01.7600.16385 (English), 7/13/2009 21:20:43, 13888 bytes
Name: Intel(R) ICH9 Family PCI Express Root Port 5 - 2948
Device ID: PCI\VEN_8086&DEV_2948&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E4
Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2938
Device ID: PCI\VEN_8086&DEV_2938&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D1
Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) 82801 PCI Bridge - 2448
Device ID: PCI\VEN_8086&DEV_2448&SUBSYS_02AA1028&REV_93\3&18D45AA6&0&F0
Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family PCI Express Root Port 3 - 2944
Device ID: PCI\VEN_8086&DEV_2944&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E2
Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2937
Device ID: PCI\VEN_8086&DEV_2937&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D0
Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Dell Wireless 1397 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000C1028&REV_01\4&1B317842&0&00E1
Driver: C:\Windows\system32\DRIVERS\BCMWL6.SYS, 5.30.0021.0000 (English), 7/8/2009 01:45:32, 2506232 bytes
Driver: C:\Windows\system32\drivers\vwifibus.sys, 6.01.7600.16385 (English), 7/13/2009 19:52:02, 19968 bytes
Name: Intel(R) ICH9 Family PCI Express Root Port 2 - 2942
Device ID: PCI\VEN_8086&DEV_2942&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E1
Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2936
Device ID: PCI\VEN_8086&DEV_2936&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&EA
Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4354&SUBSYS_02AA1028&REV_13\4&2AC8D8A2&0&00E2
Driver: n/a
------------------
DirectShow Filters
------------------
DirectShow Filters:
WMAudio Decoder DMO,0x00800800,1,1,WMADMOD.DLL,6.01.7601.17514
WMAPro over S/PDIF DMO,0x00600800,1,1,WMADMOD.DLL,6.01.7601.17514
WMSpeech Decoder DMO,0x00600800,1,1,WMSPDMOD.DLL,6.01.7601.17514
MP3 Decoder DMO,0x00600800,1,1,mp3dmod.dll,6.01.7600.16385
Mpeg4s Decoder DMO,0x00800001,1,1,mp4sdecd.dll,6.01.7600.16385
WMV Screen decoder DMO,0x00600800,1,1,wmvsdecd.dll,6.01.7601.17514
WMVideo Decoder DMO,0x00800001,1,1,wmvdecod.dll,6.01.7601.17514
Mpeg43 Decoder DMO,0x00800001,1,1,mp43decd.dll,6.01.7600.16385
Mpeg4 Decoder DMO,0x00800001,1,1,mpg4decd.dll,6.01.7600.16385
CyberLink AudioCD Filter,0x00600000,0,1,CLAudioCD.ax,5.00.0000.4417
WMT VIH2 Fix,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
Record Queue,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
WMT Switch Filter,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
WMT Virtual Renderer,0x00200000,1,0,WLXVAFilt.dll,15.04.3538.0513
WMT DV Extract,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
WMT Virtual Source,0x00200000,0,1,WLXVAFilt.dll,15.04.3538.0513
WMT Sample Information Filter,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
DV Muxer,0x00400000,0,0,qdv.dll,6.06.7601.17514
CyberLink Audio Wizard,0x00200001,1,1,CLAudWizard.ax,1.00.0000.3616
Color Space Converter,0x00400001,1,1,quartz.dll,6.06.7601.17713
WM ASF Reader,0x00400000,0,0,qasf.dll,12.00.7601.17514
Screen Capture filter,0x00200000,0,1,wmpsrcwp.dll,12.00.7601.17514
AVI Splitter,0x00600000,1,1,quartz.dll,6.06.7601.17713
VGA 16 Color Ditherer,0x00400000,1,1,quartz.dll,6.06.7601.17713
SBE2MediaTypeProfile,0x00200000,0,0,sbe.dll,6.06.7601.17528
Microsoft DTV-DVD Video Decoder,0x005fffff,2,4,msmpeg2vdec.dll,6.01.7140.0000
CyberLink DVD Navigator,0x00200000,0,3,CLNavX.ax,8.00.0000.0121
AC3 Parser Filter,0x00600000,1,1,mpg2splt.ax,6.06.7601.17528
StreamBufferSink,0x00200000,0,0,sbe.dll,6.06.7601.17528
Microsoft TV Captions Decoder,0x00200001,1,0,MSTVCapn.dll,6.01.7601.17715
MJPEG Decompressor,0x00600000,1,1,quartz.dll,6.06.7601.17713
CBVA DMO wrapper filter,0x00200000,1,1,cbva.dll,6.01.7601.17514
MPEG-I Stream Splitter,0x00600000,1,2,quartz.dll,6.06.7601.17713
SAMI (CC) Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
CyberLink Audio Spectrum Analyzer,0x00200000,1,1,CLAudSpa.ax,1.00.0000.0924
VBI Codec,0x00600000,1,4,VBICodec.ax,6.06.7601.17514
MPEG-2 Splitter,0x005fffff,1,0,mpg2splt.ax,6.06.7601.17528
Closed Captions Analysis Filter,0x00200000,2,5,cca.dll,6.06.7601.17514
SBE2FileScan,0x00200000,0,0,sbe.dll,6.06.7601.17528
Microsoft MPEG-2 Video Encoder,0x00200000,1,1,msmpeg2enc.dll,6.01.7601.17514
CyberLink Demultiplexer,0x00200000,1,0,cldemuxer.ax,1.00.0000.4528
Internal Script Command Renderer,0x00800001,1,0,quartz.dll,6.06.7601.17713
MPEG Audio Decoder,0x03680001,1,1,quartz.dll,6.06.7601.17713
DV Splitter,0x00600000,1,2,qdv.dll,6.06.7601.17514
Video Mixing Renderer 9,0x00200000,1,0,quartz.dll,6.06.7601.17713
Haali Media Splitter,0x00600001,0,1,,
Microsoft MPEG-2 Encoder,0x00200000,2,1,msmpeg2enc.dll,6.01.7601.17514
ACM Wrapper,0x00600000,1,1,quartz.dll,6.06.7601.17713
Video Renderer,0x00800001,1,0,quartz.dll,6.06.7601.17713
MPEG-2 Video Stream Analyzer,0x00200000,0,0,sbe.dll,6.06.7601.17528
Line 21 Decoder,0x00600000,1,1,qdvd.dll,6.06.7601.17713
Video Port Manager,0x00600000,2,1,quartz.dll,6.06.7601.17713
Video Renderer,0x00400000,1,0,quartz.dll,6.06.7601.17713
File Writer,0x00200000,1,0,WLXVAFilt.dll,15.04.3538.0513
VPS Decoder,0x00200000,0,0,WSTPager.ax,6.06.7601.17514
WM ASF Writer,0x00400000,0,0,qasf.dll,12.00.7601.17514
VBI Surface Allocator,0x00600000,1,1,vbisurf.ax,6.01.7601.17514
CyberLink Audio Decoder,0x00200000,1,1,Claud.ax,6.03.0000.1124
File writer,0x00200000,1,0,qcap.dll,6.06.7601.17514
iTV Data Sink,0x00600000,1,0,itvdata.dll,6.06.7601.17514
iTV Data Capture filter,0x00600000,1,1,itvdata.dll,6.06.7601.17514
DVD Navigator,0x00200000,0,3,qdvd.dll,6.06.7601.17713
Microsoft TV Subtitles Decoder,0x00200001,1,0,MSTVCapn.dll,6.01.7601.17715
Overlay Mixer2,0x00200000,1,1,qdvd.dll,6.06.7601.17713
CyberLink TimeStretch Filter,0x00200000,1,1,clauts.ax,1.00.0000.5423
Haali Matroska Muxer,0x00200000,1,0,,
AVI Draw,0x00600064,9,1,quartz.dll,6.06.7601.17713
RDP DShow Redirection Filter,0xffffffff,1,0,DShowRdpFilter.dll,
CyberLink Audio Effect,0x00200000,1,1,CLAudFx.ax,6.00.0000.5723
Microsoft MPEG-2 Audio Encoder,0x00200000,1,1,msmpeg2enc.dll,6.01.7601.17514
WST Pager,0x00200000,1,1,WSTPager.ax,6.06.7601.17514
MPEG-2 Demultiplexer,0x00600000,1,1,mpg2splt.ax,6.06.7601.17528
DV Video Decoder,0x00800000,1,1,qdv.dll,6.06.7601.17514
Cyberlink SubTitle Importor,0x00200000,1,1,CLSubTitle.ax,1.00.0000.4716
SampleGrabber,0x00200000,1,1,qedit.dll,6.06.7601.17514
Null Renderer,0x00200000,1,0,qedit.dll,6.06.7601.17514
MPEG-2 Sections and Tables,0x005fffff,1,0,Mpeg2Data.ax,6.06.7601.17514
Microsoft AC3 Encoder,0x00200000,1,1,msac3enc.dll,6.01.7601.17514
StreamBufferSource,0x00200000,0,0,sbe.dll,6.06.7601.17528
Smart Tee,0x00200000,1,2,qcap.dll,6.06.7601.17514
Overlay Mixer,0x00200000,0,0,qdvd.dll,6.06.7601.17713
CyberLink Video Effect,0x00200000,1,1,CLVidFx.ax,1.00.0000.1523
CyberLink Video/SP Decoder,0x00600000,2,3,CLVSD.ax,8.02.0000.1117
AVI Decompressor,0x00600000,1,1,quartz.dll,6.06.7601.17713
NetBridge,0x00200000,2,0,netbridge.dll,6.01.7601.17514
AVI/WAV File Source,0x00400000,0,2,quartz.dll,6.06.7601.17713
Wave Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
MIDI Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
Multi-file Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
File stream renderer,0x00400000,1,1,quartz.dll,6.06.7601.17713
CyberLink Line21 Decoder Filter,0x00200000,0,2,CLLine21.ax,4.00.0000.9027
Microsoft DTV-DVD Audio Decoder,0x005fffff,1,1,msmpeg2adec.dll,6.01.7140.0000
StreamBufferSink2,0x00200000,0,0,sbe.dll,6.06.7601.17528
AVI Mux,0x00200000,1,0,qcap.dll,6.06.7601.17514
Line 21 Decoder 2,0x00600002,1,1,quartz.dll,6.06.7601.17713
File Source (Async.),0x00400000,0,1,quartz.dll,6.06.7601.17713
File Source (URL),0x00400000,0,1,quartz.dll,6.06.7601.17713
Media Center Extender Encryption Filter,0x00200000,2,2,Mcx2Filter.dll,6.01.7601.17514
AudioRecorder WAV Dest,0x00200000,0,0,WavDest.dll,
AudioRecorder Wave Form,0x00200000,0,0,WavDest.dll,
SoundRecorder Null Renderer,0x00200000,0,0,WavDest.dll,
Infinite Pin Tee Filter,0x00200000,1,1,qcap.dll,6.06.7601.17514
Enhanced Video Renderer,0x00200000,1,0,evr.dll,6.01.7601.17514
BDA MPEG2 Transport Information Filter,0x00200000,2,0,psisrndr.ax,6.06.7601.17669
MPEG Video Decoder,0x40000001,1,1,quartz.dll,6.06.7601.17713
WDM Streaming Tee/Splitter Devices:
Tee/Sink-to-Sink Converter,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
Video Compressors:
WMVideo8 Encoder DMO,0x00600800,1,1,wmvxencd.dll,6.01.7600.16385
WMVideo9 Encoder DMO,0x00600800,1,1,wmvencod.dll,6.01.7600.16385
MSScreen 9 encoder DMO,0x00600800,1,1,wmvsencd.dll,6.01.7600.16385
DV Video Encoder,0x00200000,0,0,qdv.dll,6.06.7601.17514
MJPEG Compressor,0x00200000,0,0,quartz.dll,6.06.7601.17713
Cinepak Codec by Radius,0x00200000,1,1,qcap.dll,6.06.7601.17514
Intel IYUV codec,0x00200000,1,1,qcap.dll,6.06.7601.17514
Intel IYUV codec,0x00200000,1,1,qcap.dll,6.06.7601.17514
Microsoft RLE,0x00200000,1,1,qcap.dll,6.06.7601.17514
Microsoft Video 1,0x00200000,1,1,qcap.dll,6.06.7601.17514
Audio Compressors:
WM Speech Encoder DMO,0x00600800,1,1,WMSPDMOE.DLL,6.01.7600.16385
WMAudio Encoder DMO,0x00600800,1,1,WMADMOE.DLL,6.01.7600.16385
IMA ADPCM,0x00200000,1,1,quartz.dll,6.06.7601.17713
PCM,0x00200000,1,1,quartz.dll,6.06.7601.17713
Microsoft ADPCM,0x00200000,1,1,quartz.dll,6.06.7601.17713
GSM 6.10,0x00200000,1,1,quartz.dll,6.06.7601.17713
Messenger Audio Codec,0x00200000,1,1,quartz.dll,6.06.7601.17713
CCITT A-Law,0x00200000,1,1,quartz.dll,6.06.7601.17713
CCITT u-Law,0x00200000,1,1,quartz.dll,6.06.7601.17713
MPEG Layer-3,0x00200000,1,1,quartz.dll,6.06.7601.17713
Audio Capture Sources:
Microphone (High Definition Aud,0x00200000,0,0,qcap.dll,6.06.7601.17514
PBDA CP Filters:
PBDA DTFilter,0x00600000,1,1,CPFilters.dll,6.06.7601.17528
PBDA ETFilter,0x00200000,0,0,CPFilters.dll,6.06.7601.17528
PBDA PTFilter,0x00200000,0,0,CPFilters.dll,6.06.7601.17528
Midi Renderers:
Default MidiOut Device,0x00800000,1,0,quartz.dll,6.06.7601.17713
Microsoft GS Wavetable Synth,0x00200000,1,0,quartz.dll,6.06.7601.17713
WDM Streaming Capture Devices:
HD Audio Microphone 2,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
WDM Streaming Rendering Devices:
HD Audio Headphone/Speakers,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
BDA Network Providers:
Microsoft ATSC Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft DVBC Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft DVBS Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft DVBT Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft Network Provider,0x00200000,0,1,MSNP.ax,6.06.7601.17514
Multi-Instance Capable VBI Codecs:
VBI Codec,0x00600000,1,4,VBICodec.ax,6.06.7601.17514
BDA Transport Information Renderers:
BDA MPEG2 Transport Information Filter,0x00600000,2,0,psisrndr.ax,6.06.7601.17669
MPEG-2 Sections and Tables,0x00600000,1,0,Mpeg2Data.ax,6.06.7601.17514
BDA CP/CA Filters:
Decrypt/Tag,0x00600000,1,1,EncDec.dll,6.06.7601.17708
Encrypt/Tag,0x00200000,0,0,EncDec.dll,6.06.7601.17708
PTFilter,0x00200000,0,0,EncDec.dll,6.06.7601.17708
XDS Codec,0x00200000,0,0,EncDec.dll,6.06.7601.17708
WDM Streaming Communication Transforms:
Tee/Sink-to-Sink Converter,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
Audio Renderers:
Speakers (High Definition Audio,0x00200000,1,0,quartz.dll,6.06.7601.17713
CyberLink Audio Renderer,0x00200000,1,0,cladr.ax,6.00.0000.5222
Default DirectSound Device,0x00800000,1,0,quartz.dll,6.06.7601.17713
Default WaveOut Device,0x00200000,1,0,quartz.dll,6.06.7601.17713
DirectSound: Speakers (High Definition Audio Device),0x00200000,1,0,quartz.dll,6.06.7601.17713
---------------
EVR Power Information
---------------
Current Setting: {651288E5-A7ED-4076-A96B-6CC62D848FE1} (Balanced)
Quality Flags: 2576
Enabled:
Force throttling
Allow half deinterlace
Allow scaling
Decode Power Usage: 100
Balanced Flags: 1424
Enabled:
Force throttling
Allow batching
Force half deinterlace
Force scaling
Decode Power Usage: 50
PowerFlags: 1424
Enabled:
Force throttling
Allow batching
Force half deinterlace
Force scaling
Decode Power Usage: 0
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:42:57 AM
What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
Nothing else stands out to me atleast.
Do I "fix" it? Most definitely! Before you go wiping it though, let's make sure it did not make any way to copy itself again. First kill all the iexplorer.exe running in taskmanager, that's scary. ;p And the Flash_util_activex after. Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com (remove spaces). Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions. Please share if you find anything. At this point also run the fix for that one file atleast. Let us know if your date modified/created search returns anything unusual. cheers
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 12:58:38 AM
What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
Nothing else stands out to me atleast.
Do I "fix" it? Most definitely! Before you go wiping it though, let's make sure it did not make any way to copy itself again. First kill all the iexplorer.exe running in taskmanager, that's scary. ;p And the Flash_util_activex after. Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com (remove spaces). Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions. Please share if you find anything. At this point also run the fix for that one file atleast. Let us know if your date modified/created search returns anything unusual. cheers Here's the file in base64 encoding (I also sent an email, but this is more public). TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAADRDTOwlWxd45VsXeOVbF3j93NO45dsXePucFHjl2xd431zV+OQbF3jlWxc
46FsXeMtalvjlGxd431zVuOebF3jfXNZ45FsXeNSaWNolWxd4wAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAFBFAABMAQUAxoGeSwAAAAAAAAAA4AACIQsBCAAARgEAAJIFAAAAAACKmAAAABAAAABgAQAA
AAAQABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAAAHAAAEAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQ
AAAAAAAAEAAAAMSdAgCQAAAAtJICAHgAAAAA4AUAnv8AAAAAAAAAAAAAAAAAAAAAAAAA4AYA1BUA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAQAUAgAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADQRQEAABAAAABGAQAABAAAAAAAAAAAAAAA
AAAAIAAAYC5yZGF0YQAAY10DAABgAQAAXgMAAEoBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAHwd
AQAAwAQAABgBAACoBAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADJ/wAAAOAFAAAAAQAAwAUAAAAA
AAAAAAAAAAAAQAAAQC5yZWxvYwAA/BUAAADgBgAAFgAAAMAGAAAAAAAAAAAAAAAAAEAAAEAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGr/
aGoDABBS/xVAYAEQkJCQkJCQkJCLRCQQgexRUFLoxekAAIPEHIXAdQzDkJCQkJCQkJBWi3QkAQAA
x0QkFAIAAACNRCSDyf+L+jPA8q730Y1EJMQcX15dW8OLD4tBFIXA6OmQAACDxBCFwHUJV+j/FXBh
ARCFwIlEJCgPhQDoihQAAIPEFF9eXVuDJCRQaLAEABBqAP/Ti9AEi0gUiQqLTCQIi0AYiRhfXl1b
g8QQw4tEJBSLXl1bg8QQw5CQkJCQkJB+HFOZ938EjVQkHIlEJAEQUv8VxGEBEIXAdQyJ//9Q6Foc
AQCDxAiFwHX3fwSNVCQciUQkGItPJDcNAQCDxBCFwA+FcQEA//+DxBzDkJCQkJCQkJBQVeif0///
g8QMhcAPhRBqAeg6fQAAg8QQhcAPi0wkaKQEABBAUYlEJCToe/j//4PEEIXAD4W1ACQcVlHoEOz/
/4PEDIXAUlCLRCQQUP9RGIPEEMNMJHxR6KdAAACDxAQ78O7//4tMJCyDxAiJQQiLAIXtD4RaAwAA
hfYPhFIkKOgmtP//g8QUhcAPhYtICIXJdStomQUAEGhWBAAQkJCQkJCQkJBTVYvonbwAAIPEFF9e
XVtZwwsAAACDxAxfXl1bw5CQD4UBBQAAi0QkYItUJFAAg8QUX16BxKABAADDi1LoWuH//4lFBItE
JCiDAACNTCQkUFHo+sj//4MQVmjXAgAQaKYEABCNRACDxBRfXl1bw5CQkJCQJARQUehR/f//g8QI
w5CQkJCQkJCQkJCQkJCQkMOQi0QkBItICIXJdBCLEMdDEAAAAADp4AEAAIsQ6EB3AACLB1BorAUA
EFuDxAjDaLkFABDrBWieAgAQAACDxBRfXl1bw5CQkItUJBCLRCQIUotUJOgh7P//g8QUhcAPhQQB
99iJRiyLRCQcaGMEABABEOh9+QAAaFQEABBqAJCQkJBRi0QkEFNViy1k86qAOy90CMYCL70BAAD6
AXZbgzgBdVaLTwRWUYoQih6KyjrTdR6EyXQWSIs7i1sIUFBo3gQAEFMkDIlOEItEJAiLVhCJEFSJ
TCRQi0wkXBvBiUQkMIXAfBt/BIXJdhVQUWj0AgAQuL0CABB1BbhYBQAQ6NMDAACLVCREg8QcUItH
BGgYAwAQUFbozc+QkJCQkJCD7GhQAgAQUyQQU1aLdCQUi95XwesDbCQg6OMCAACDxBCFwA+QkJCQ
kJCQkItEJAhqAYtNBFdSi1QkGFCLhCSIARBQVeh8LwAAg8QchcCQkFaLdCQgV4t8JBCNRF9ew4tM
JBCLdCQUagBRRCQoUo1OGFBR6BfK//8AagBoTwQAEFBW/xWAYQEQVhhS6GdFAACDxASFUmhhBAAQ
UIlEJBDo/m2ceAAAg8QIi/CLRCQYUAUAAIPEDIXAdStXVuiwwA+FrwAAAItMJCBXUeg46J2FAACD
xCSJRCQQV8QMUFZTV+hNAAAAg8QMFFFoUAMAEFP/FehhARBdW8OQkJBXi3wkDGoBV10zwFvDaPoD
ABBoSQMAEBRfXsOQkJCQkJCQkJABEFBWiQH/FbBhARCLVxBS6AcAAACDxBDDkJCQCItMJARQUehR
/f//g8QhRQyDfQwAdBGhDwUAEPwKAHUsVujqGAEAV2gMBgAQi1QkEItIGFJQi0T5AnQkgfmC/AoA
dByB+RWAUAEQi0QkFF9eiShdAABo9QMAEOjotAAAVmiWBQAQAIPEBItHHGoAalX/FdhgARCLTCQU
i3wkdS07Pn8FXzPAXsNorwIAEMQEhcB1JmjOAgAQaLoFABCKUAGKyjpWAXUOVCQQUVJQ6OSpAACL
RCSDyf9XUVCLRCQkUOhiAxhSARD/JdBgARD/JYhhARBfXl1bw4t8JCSLRCSNTCQcjVQkEFFSUOjk
qVb/FdBgARCL+DPAi/e52L///4PEFIXAD4WNAAA0g8QEX16JAV0zwFuDxP/Tg8QQUItHBGgOBgAQ
EIEBEGoAaFMCABDoBzUGi1cEUlP/1YlGBItHCCQUg8QEi/iKGYrTOh91i04oUVX/04tWBIlGGFL3
i1QkCCvGUItEJBRWUBiD+f91DVeL+gvJM8DyAABoUgQAEOjVDgAAaOECABBRARD/JcBhARD/JeBh
ARAAAMdBKAAAAACLATPAw5CQkJCLRCQEi0C/oI8BEIvNigGK0DoHdRCLTCQUVlBVUWoA6MIAxBTD
kJCQkJCQkJCQkJAAAGipBAAQ6NR0AACLTgBoigIAEGhcAgAQ6HtTagBoZQUAEOg8HgAAg8QIw5CQ
kJCQkJCQkIPsDPCLRCQYUFf/FQBiARCLXoPEEMONRCQIVlD/FVhhARAEUItHBFNVUOhU7sYAAACL
fiSLFkdTiX4kfH8AAIPEKF9eXVvDi1SLRCQggzgAdHGLSASFyXQMi04ggXkIANAHAHY0xBBQVlfo
oTsFABBLFIOQkJCQkJCLRCQQi0wkDHQcgfmD/AoAdBSB+e78HnUchMl0FIpYAYrLOl5Q6HTX//+D
xBiFwHVUiwyFwA+FkwEAAItUJBCL2A+OQv///4tsJDBXaOACABABEFeJEMdABAAAAIPECDP/hcAP
jK8AAABWdBSKQQGK0DpGAXUOg8EAAItEJFBQ6LQbAACLTGooU/8VGGABEItsJCSLAIPEEIXAdRmL
TCQYUeiLTCQIiUIEiQqLwl/DkFNVi2wkEFaLdCQYVzluAABqMFP/FchhARCLdCQVWFABEItUJDCL
KotUJOidNgAAg8QMhcB1VotGAAC4awUAEOsFuDIFABBXUeg63///iUYIi0YcgwEQi0wkLIPEEFBq
/2iYAwAQOFeNTCRsUFHoTjv/g8QMhcAPhaMCAACLVIPEGIXAD4VpAQAAi0QkJAxXi3wkFI1UJBCL
BosQhcB0OFZQi0QkKFONTAzDkJCQkJCQkJCLRCQQX15dM8BbgcQMEQAAw42HDwAAaP4FABDoM9EA
AIlFAItEJBRQV/8VqGABEAAAD46bAAAAVb8BAACQkItUJBCLRCQIUotUJDiFwHQni1ZAiweLDlJQ
bFABEIsdxFABEI1MJCQoUAEQi1QkaGwCABABECQMi1QkBItIHDPAiQrDJAiLTCQEUFHoUf3//4MQ
hcCJRCQcD4Xz+///iy
Edit: There was something here, but I realized that was the quarantine. Never mind.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 01:09:08 AM
Are you using a device from Midiman called M-Audio or some such via firewire?
edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 01:18:45 AM
edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
None of these services exist anymore: - BITS
- Microsoft Antimalware
- Windows Firewall
- Windows Update
Are you using a device from Midiman called M-Audio or some such via firewire?
The file has definately been renamed and corrupted. Here are some suspicious traits: No permissions have been assigned for this object.
Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.
Original filename: mafwcpl.exe
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 01:24:32 AM
edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
None of these services exist anymore: - BITS
- Microsoft Antimalware
- Windows Firewall
- Windows Update
Are you using a device from Midiman called M-Audio or some such via firewire?
The file has definately been renamed and corrupted. Here are some suspicious traits: No permissions have been assigned for this object.
Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.
Original filename: mafwcpl.exe
aye, that file we have now is not the orginal. Did you find anything else modified aorund the same time? As far as the missing services. OUCH. you are likely going to need to at the very least run a repair install of Win 7
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 01:40:46 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 01:41:51 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 01:43:57 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed. Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install. Thanks for your help! It saved me a lot of grief and was greatly appreciated. BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects.
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 23, 2012, 02:19:59 AM
Probably installed javascript into the profile of Firefox, you may need to create a new profile.
Title: Re: Windows infection: please help a security newbie
Post by: finkleshnorts on July 23, 2012, 04:07:04 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed. Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install. Thanks for your help! It saved me a lot of grief and was greatly appreciated. BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects. restore points can be infected.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 04:39:24 AM
Probably installed javascript into the profile of Firefox, you may need to create a new profile.
aye, not a bad idea at all. I take it you were able to remove it in safemode? Was firefox the only browser that was redicreting on you? Probably will not hurt to reinstall any other browsers you were using as well. And now you got me curious as to the source or that thing. I hadn't bothered to decompile that dll to see the actual script in it as I figured you had it whipped. But it could not hurt to. Another handy trick is to find a compiled piece of the malicious code to use to search for inside of all the files on your comp. I've been able to find quite a few left over 'dormant' pieces of nasties that would have otherwise went undected that way. Let us know if you still have issues removing that file. Or skip ahead of posting again and use; http://www.scanwith.com/Pocket_KillBox_download.htm Add the file path to the box, check the 'delete on reboot' option and then if you ae ready to reboot, hit the lil red x tot he right of the file location input. That should have no issues removing it. If so, let us know. cheers
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 11:37:29 PM
It was ZeroAccess.
I'll update soon: I'm running some scans to make sure the rootkit is completely gone.
Firefox redirected the worst (on load and nearly every search result). IE also redirected. Chromium refused to work until recently (it wouldn't connect to anything).
Update:
ZeroAccess is apparently a rootkit that uses a variety of techniques to circumvent UAC by injecting code into UAC exceptions. I had not realized the dangers of keeping UAC at the "recommended" level, believing it to be sufficient in preventing malware. UAC is now set at the highest level.
ZeroAccess also downloaded a Bitcoin-related trojan (this is what most worries me). At this point, all my bitcoin is still present and remains encrypted. This was the cause of the slow computer; the bitcoin trojan converted it into a botnet.
ZeroAccess deleted some important services. Most importantly, Windows Update and Windows Firewall have been deleted. I will probably do a repair install, as a system restore seems too risky (what if it restores the rootkit?).
At this point, ZeroAccess should have been removed. At the very least, its symptoms are no longer present.
Edit: Windows Update has been restored (I needed to reregister the services, but the dlls were not deleted). I have reinstalled MSE and the computer should be much safer now. Now, I'm trying to fix Windows firewall, which isn't as crucial as the other two.
Title: Re: Windows infection: please help a security newbie
Post by: rjk on July 24, 2012, 03:07:07 AM
Personally, I never trust an infected computer ever again. All kinds of shit happens that's easy to miss and will cause future problems. If you hold any significant amount of bitcoins, it would be a good idea to move tem to a known secure computer. And I mean move the encrypted wallet without first decrypting it, since you can't be sure there isn't a lingering keylogger or some shit like that.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 03:12:43 AM
I have rediscovered an even more serious infection. This time, some core Windows system files were damaged.
"Windows has encountered a critical problem and will restart in one minute".
Yes, even in safe mode.
I have resorted to system restore, which has fixed the critical problem (additionally, all services have been restored). MSE is currently running, but only so I can gain some experience on how to deal with a severe infection.
At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.
Title: Re: Windows infection: please help a security newbie
Post by: myrkul on July 24, 2012, 03:17:30 AM
At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.
Windows, your days are numbered! http://www.youtube.com/watch?v=CWsJcg-g1pg That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 03:21:34 AM
Sirefef is the trojan's name. I think it's currently under control (quarentined by MSE, which is saved by the system restore). At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.
Windows, your days are numbered! http://www.youtube.com/watch?v=CWsJcg-g1pg That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS. I wish there was audio in safe mode now. Ubuntu is good enough for me, because I've actually used it before. Edit: Wow, these viruses are good. They just deleted the Windows Security Centre service... in Safe Mode. The reason this is so significant is that that is not a service that can even start in Safe Mode.
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 24, 2012, 05:03:38 AM
Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities. The benefits of Linux are that the majority of the malware attacks always start in user space, the disadvantage is tools are not well discussed so newbies can acquire improved security. Often, security questions are met with responses like, "Your on Linux now, stop worrying, there is no malware here, just move along...". Little do they know, there question was being answered by a Blackhat, who isn't interested in helping to reduce his ability to pwn your box. Because of this atmosphere that "Linux is immune", it makes detecting an infection or security threat much harder for a newb than it is in Windows.
Ask yourself this, If a rootkit/worm/trojan/keylogger were running in your Linux system, how would I find it? Now see how many people will teach you how to look for the signs.
While Linux is better at default security than Windows, the length of time an infection will go undiscovered by a newb on Linux will be much longer, if infected.
Title: Re: Windows infection: please help a security newbie
Post by: myrkul on July 24, 2012, 05:16:05 AM
Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities. Yes, and Ubuntu is starting to get big enough to be a targetable audience. (ie, it's worth the hacker's time). But the very nature of the Linux ecosystem makes it harder to program a single bug that will infect everyone, and the open-source nature and upstream fixes makes any holes shorter-lived. No system is 100% secure. But compared to Windows, Linux might as well be. (Especially if, like me, you use some off-brand Linux, and keep everything updated.)
Title: Re: Windows infection: please help a security newbie
Post by: Vladimir on July 24, 2012, 05:16:59 AM
Whether you like it or not, wipe all and reinstall is what you need to do.
Title: Re: Windows infection: please help a security newbie
Post by: 01BTC10 on July 24, 2012, 05:37:25 AM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 04:48:19 PM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html If I'm going to be switching OS's, should I still worry about this?
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 24, 2012, 05:21:32 PM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html If I'm going to be switching OS's, should I still worry about this? def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios. Also, when you do format the drive to reinstall make sure to format /MBR and format /S as well from a known clean disk. nasty stuff there, m8 If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 05:34:12 PM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html If I'm going to be switching OS's, should I still worry about this? def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios. Also, when you do format the drive to reinstall make sure to format /MBR and format /S as well from a known clean disk. nasty stuff there, m8 If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved. I'd rather not risk killing the BIOS to remove something that a) probably isn't there and b) probably doesn't matter. Why should I format the MBR? Won't that destroy the partition table?
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 24, 2012, 05:43:28 PM
Why should I format the MBR? Won't that destroy the partition table?
Why yes, yes it will amongst other things. Windows has no issues installing to an unpartioned drive. It will allow you to add the partitions at the same screen where you would pick the drive when you're installing. Just click advanced. When you get reinstalled, you could atleast check the bios. From your windows based BIOS app (most mobos these days have one), do a backup of the BIOS and compare it to a download from the vendor site of the same version. cheers
|