Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Vundo variant / rootkit tdsserv


  • This topic is locked This topic is locked
3 replies to this topic

#1 kmag

kmag

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 22 January 2009 - 11:44 AM

Helping coworker. BSOD but noticed IE wasn't working so
managed to get superantispyware working and found
vundo variant
rootkit.tdsserv
rootkit.tdsserv/fake
rootkit.tdsserv-trace
trojan.net-suhoster
trojan.unknown origin

seems like i can't get rid of vundo. assistance would be greatly appreciated.
Here is dds.txt


DDS (Ver_09-01-19.01) - NTFSx86
Run by abaluch at 11:33:20.84 on 2009-01-22
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1459 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\MSA23B.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SUPERAntiSpyware\7045023a-073e-480d-a8cf-e3c34b8813cc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\abaluch\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
BHO: {3301ae64-8daa-4207-b64f-ebdf780ac569} - c:\windows\system32\cmsetac.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\7045023a-073e-480d-a8cf-e3c34b8813cc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://lambda/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://lambda/officescan/console/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://lambda/officescan/console/html/AtxEnc.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://lambda/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172771779423
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 qvkzacgp;qvkzacgp;c:\windows\system32\drivers\qvkzacgp.sys [2004-8-11 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\program files\virtualcd\VCdRom.sys [2007-2-27 8576]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R4 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R4 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]
R4 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2006-9-6 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2006-9-6 36368]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-21 38496]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-6-22 652552]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-01-21 17:37 <DIR> a-dshr-- C:\cmdcons
2009-01-21 17:34 161,792 a------- c:\windows\SWREG.exe
2009-01-21 17:34 98,816 a------- c:\windows\sed.exe
2009-01-21 12:18 <DIR> --d----- c:\docume~1\abaluch\applic~1\Malwarebytes
2009-01-21 12:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 12:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 12:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-21 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-21 10:06 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-01-21 10:05 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-21 10:04 2,142,720 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-21 10:04 2,185,984 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-21 10:04 2,020,864 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-21 10:04 2,062,976 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-21 10:02 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-20 17:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-20 17:00 <DIR> --d----- c:\program files\AVG
2009-01-20 16:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-20 16:58 <DIR> --d----- c:\docume~1\abaluch\applic~1\SUPERAntiSpyware.com
2009-01-20 16:54 <DIR> --d----- C:\km
2009-01-20 16:37 <DIR> --d----- c:\windows\pss
2009-01-20 12:07 <DIR> --d----- C:\sysclean
2009-01-20 11:43 229,439 ac------ c:\windows\system32\dllcache\multibox.dll
2009-01-20 11:42 66,728 ac------ c:\windows\system32\dllcache\big5.nls
2009-01-20 11:42 19,456 ac------ c:\windows\system32\dllcache\agt0804.dll
2009-01-20 11:42 19,456 ac------ c:\windows\system32\dllcache\agt0412.dll
2009-01-20 11:42 19,456 ac------ c:\windows\system32\dllcache\agt0411.dll
2009-01-20 11:42 19,456 ac------ c:\windows\system32\dllcache\agt040d.dll
2009-01-20 11:42 19,456 ac------ c:\windows\system32\dllcache\agt0404.dll
2009-01-20 11:42 19,456 ac------ c:\windows\system32\dllcache\agt0401.dll
2009-01-20 11:41 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-20 11:40 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-01-20 11:38 7,680 ac------ c:\windows\system32\dllcache\inetmgr.exe
2009-01-20 11:06 13,753 a----r-- c:\windows\SET73.tmp
2009-01-20 11:06 1,086,058 a----r-- c:\windows\SET67.tmp
2009-01-20 11:06 1,042,903 a----r-- c:\windows\SET64.tmp
2009-01-20 05:57 2,145,009,664 a------- c:\windows\MEMORY.DMP
2009-01-20 05:57 <DIR> --d----- c:\windows\dell
2009-01-20 02:02 10,752 a------- c:\windows\DCEBoot.exe
2008-12-29 15:33 <DIR> --d----- c:\temp\JavaScriptCalendar

==================== Find3M ====================

2009-01-20 11:38 29,476 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 11:34:10.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kmag

kmag
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 22 January 2009 - 04:34 PM

Sorry but I went back and applied windows / java updates in the hopes. I am posting a new dds.txt and attach.zip


DDS (Ver_09-01-19.01) - NTFSx86
Run by abaluch at 16:24:25.35 on 2009-01-22
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1542 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SUPERAntiSpyware\7045023a-073e-480d-a8cf-e3c34b8813cc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\TEMP\AXAF64.EXE
C:\Documents and Settings\abaluch\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
BHO: {3301ae64-8daa-4207-b64f-ebdf780ac569} - c:\windows\system32\cmsetac.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\7045023a-073e-480d-a8cf-e3c34b8813cc.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://lambda/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://lambda/officescan/console/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://lambda/officescan/console/html/AtxEnc.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://lambda/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172771779423
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 qvkzacgp;qvkzacgp;c:\windows\system32\drivers\qvkzacgp.sys [2004-8-11 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\program files\virtualcd\VCdRom.sys [2007-2-27 8576]
R4 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R4 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096]
R4 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2006-9-6 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2006-9-6 36368]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-6-22 652552]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-01-22 15:59 <DIR> --d----- C:\ComboFix
2009-01-22 12:56 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-22 12:56 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-21 17:37 <DIR> a-dshr-- C:\cmdcons
2009-01-21 17:34 161,792 a------- c:\windows\SWREG.exe
2009-01-21 17:34 98,816 a------- c:\windows\sed.exe
2009-01-21 12:18 <DIR> --d----- c:\docume~1\abaluch\applic~1\Malwarebytes
2009-01-21 12:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 12:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 12:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-21 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-21 11:01 572,557 -c------ c:\windows\system32\dllcache\rtuner.wmv
2009-01-21 11:00 19,569 a------- c:\windows\003515_.tmp
2009-01-21 10:05 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-21 10:05 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-01-21 10:05 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-01-21 10:05 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-01-21 10:04 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-01-21 10:04 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-21 10:04 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-21 10:04 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-21 10:04 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-21 10:03 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-01-21 10:02 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-01-21 10:02 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-21 10:01 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-01-21 10:00 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-01-21 09:59 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-01-20 17:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-20 17:00 <DIR> --d----- c:\program files\AVG
2009-01-20 16:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-20 16:58 <DIR> --d----- c:\docume~1\abaluch\applic~1\SUPERAntiSpyware.com
2009-01-20 16:54 <DIR> --d----- C:\km
2009-01-20 16:37 <DIR> --d----- c:\windows\pss
2009-01-20 12:07 <DIR> --d----- C:\sysclean
2009-01-20 11:43 229,439 ac------ c:\windows\system32\dllcache\multibox.dll
2009-01-20 11:42 66,728 ac------ c:\windows\system32\dllcache\big5.nls
2009-01-20 11:41 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-20 11:40 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-20 11:40 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-01-20 11:38 7,680 ac------ c:\windows\system32\dllcache\inetmgr.exe
2009-01-20 11:06 13,753 a----r-- c:\windows\SET73.tmp
2009-01-20 11:06 1,086,058 a----r-- c:\windows\SET67.tmp
2009-01-20 11:06 1,042,903 a----r-- c:\windows\SET64.tmp
2009-01-20 05:57 2,145,009,664 a------- c:\windows\MEMORY.DMP
2009-01-20 05:57 <DIR> --d----- c:\windows\dell
2009-01-20 02:02 10,752 a------- c:\windows\DCEBoot.exe
2008-12-29 15:33 <DIR> --d----- c:\temp\JavaScriptCalendar

==================== Find3M ====================

2009-01-20 11:38 29,476 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 16:26:55.61 ===============

Attached Files



#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:12 AM

Posted 31 January 2009 - 02:50 AM

Hello kmag,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:12 AM

Posted 07 February 2009 - 11:28 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users