0

Hello,

A trojan dropper (according to malwarebytes) was downloaded to my system. I tried getting rid of it with malwarebytes, but the virus keeps coming back. The second time Malwarebytes identified it as a gamervance, but it continued to stay on my computer.

In addition to that, my computer has been acting slow lately. My computer even froze halfway through my DDS scan. This is all that I have noticed so far.

As requested, here are the logs:
Malware:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5708

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2011 1:35:07 PM
mbam-log-2011-02-27 (13-35-03).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 186185
Time elapsed: 26 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{51243209-ab7f-40fe-b2b7-0d4750978116}\RP203\A0044381.exe (Trojan.Dropper) -> No action taken.

Gmer.ONE:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-27 14:43:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9408114A rev.8.03
Running: gmerp2dtb9ts.exe; Driver: C:\DOCUME~1\Chance\LOCALS~1\Temp\uxliqaog.sys


---- System - GMER 1.0.15 ----

SSDT spmo.sys ZwEnumerateKey [0xB9ECDDA4]
SSDT spmo.sys ZwEnumerateValueKey [0xB9ECE132]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\ahqllesf \Device\Scsi\ahqllesf1Port2Path0Target0Lun0 898321F8
Device \Driver\ahqllesf \Device\Scsi\ahqllesf1 898321F8
Device \FileSystem\Ntfs \Ntfs 89ACC1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- EOF - GMER 1.0.15 ----


gmer two:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-27 15:14:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9408114A rev.8.03
Running: gmerp2dtb9ts.exe; Driver: C:\DOCUME~1\Chance\LOCALS~1\Temp\uxliqaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xA909F610]
SSDT spmo.sys ZwCreateKey [0xB9EB50E0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xA909FC10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xA909F730]
SSDT spmo.sys ZwEnumerateKey [0xB9ECDDA4]
SSDT spmo.sys ZwEnumerateValueKey [0xB9ECE132]
SSDT spmo.sys ZwOpenKey [0xB9EB50C0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xA909F4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xA909F570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xA909F6D0]
SSDT spmo.sys ZwQueryKey [0xB9ECE20A]
SSDT spmo.sys ZwQueryValueKey [0xB9ECE08A]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xA909F690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xA909F650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xA909F7D0]
SSDT spmo.sys ZwSetValueKey [0xB9ECE29C]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xA909F510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xA909F590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xA909F4D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xA909F5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xA909F750]

INT 0x62 ? 89ACDBF8
INT 0x63 ? 89854F00
INT 0x63 ? 89854F00
INT 0x82 ? 89ACDBF8
INT 0x83 ? 89854F00
INT 0xB4 ? 89854F00

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89ACC1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\usbuhci \Device\USBPDO-0 897371F8
Device \Driver\usbuhci \Device\USBPDO-1 897371F8
Device \Driver\usbuhci \Device\USBPDO-2 897371F8
Device \Driver\usbuhci \Device\USBPDO-3 897371F8
Device \Driver\usbehci \Device\USBPDO-4 897363F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89A5F1F8
Device \Driver\Cdrom \Device\CdRom0 8970D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8970D1F8
Device \Driver\sptd \Device\1530196756 spmo.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 897601F8
Device \Driver\PCI_PNP1756 \Device\0000004b spmo.sys
Device \Driver\NetBT \Device\NetbiosSmb 897601F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6863198E-FAAB-483C-9717-FABA7F3633E9} 897601F8
Device \Driver\usbuhci \Device\USBFDO-0 897371F8
Device \Driver\usbuhci \Device\USBFDO-1 897371F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89861500
Device \Driver\usbuhci \Device\USBFDO-2 897371F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89861500
Device \Driver\usbuhci \Device\USBFDO-3 897371F8
Device \Driver\usbehci \Device\USBFDO-4 897363F8
Device \Driver\Ftdisk \Device\FtControl 89A5F1F8
Device \Driver\ahqllesf \Device\Scsi\ahqllesf1Port2Path0Target0Lun0 898321F8
Device \Driver\ahqllesf \Device\Scsi\ahqllesf1 898321F8
Device \FileSystem\Cdfs \Cdfs 89590500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5C 0x7B 0xEB 0x65 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD1 0x21 0x5C 0xF0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xAA 0x68 0x0C 0xF8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5C 0x7B 0xEB 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD1 0x21 0x5C 0xF0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xAA 0x68 0x0C 0xF8 ...

---- EOF - GMER 1.0.15 ----


And I was not able to finish DDS so I do not have the last two logs.

2
Contributors
2
Replies
3
Views
6 Years
Discussion Span
Last Post by ac.morgan
0

The first thing you need to do is update Mbam. Database 5708 is old, the current version is 5897. Secondly your log shows "no action taken", you need to get Mbam to remove the infection.

0

...I did use action, thats weird. I will rescan and redo the action and repost.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.