Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with root.kitagent/gen-uacfake


  • Please log in to reply
1 reply to this topic

#1 Ts3

Ts3

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 20 August 2009 - 06:15 PM

I was browsing Google searches on Mozilla Firefox and I clicked on a site and Firefox told me that the site may have harmful stuff on it. So, naturally, I backed out of it and continued to go to my regular sites. Five minutes later, I get this fake anti- virus pop up that told me it was downloading its contents. When the numbers went up, I said forget this and manually turned off my computer. A few minutes later, I turned my computer back on and right when my icons load up it says, "Google installer encountered a problem and needed to close" and "Veiwmgr has encountered a problem and needed to close."
I realized the Mal-ware has done its thing because my when I clicked on a link on my search engine instead of taking me to the site, it takes me to some random ad-site. I try to run a windows defender scan but the Mal-ware will not allow it. So I delete Windows Defender and download SuperAntiSpyware. When I tried to open it, it instantaneously came up with "superantispyware has encountered a problem and needs to close we are sorry for the inconvenience." Knowing this was the Mal-ware's doing, I renamed the superantispyware exe a different name, (shoop.exe). Once it opened, I did a thorough scan of my computer, it found this: Rootkit.agent/gen-uacFake. Never seeing this type of Mal-ware before, I was stumped. It continued doing its scan until it just closed the window. I try bringing it back up but it says something about needing administrators access. So I delete superantispyware, reinstall it, change the exe name, and full scan. Once it finds the file I stop the scan and quarantine it and delete it. It tells me to reboot my computer, so I do and when it comes back up its still has the "Google installer encountered a problem and needed to close" and "Veiwmgr has encountered a problem and needed to close" (I tried this in normal and safe mode). I tried Norton anti-virus but it, unsurprisingly, only found a tracking cookie and I tried Viprerescue but it did not seem to work.

Log


DDS (Ver_09-07-30.01) - NTFSx86
Run by Tyler at 18:24:21.21 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.77 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tyler\My Documents\Firefox downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1c3c4699-b285-475f-be47-0b26088ce876} - [SASInprocServer32]
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {F06E2ABE-3A50-4079-BE25-FC100D9EAA25} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SP2 Connection Patcher] "c:\program files\sp2 connection patcher\SP2ConnPatcher.exe" -n=200
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [ResChanger 2005] c:\program files\reschanger 2005\ResChanger2005.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\bleepballs.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [hid_start] c:\windows\system32\rundll32.exe "c:\windows\system32\gzmrotate.dll" DllVerify
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [net] "c:\windows\system32\net.net"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\tyler\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/MyFunCardsInitialSetup1.0.1.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132164795250
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {e517b912-2c97-4a94-8b15-e7fe902b8d86} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tyler\applic~1\mozilla\firefox\profiles\w508brdu.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\w508brdu.default\extensions\justintvpublisher@justin.tv\platform\winnt_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\tyler\application data\mozilla\firefox\profiles\w508brdu.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-12-4 33824]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-8-27 566616]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-14 55152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-9-9 112688]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20071203.003\NAVENG.SYS [2007-12-3 81232]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20071203.003\NAVEX15.SYS [2007-12-3 865904]
R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [2007-9-8 82888]
S2 gupdate1c9eec0649b0102;Google Update Service (gupdate1c9eec0649b0102);c:\program files\google\update\GoogleUpdate.exe [2009-6-16 133104]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-5 24652]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [2007-9-8 17536]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-8-20 92464]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [2007-9-8 53690]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-4 1252232]

=============== Created Last 30 ================

2009-08-20 18:10 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 18:10 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-20 18:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 18:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-20 17:46 0 a------- c:\windows\system32\SBRC.dat
2009-08-20 17:10 92,464 a------- c:\windows\system32\drivers\SBREDrv.sys
2009-08-20 17:10 65,320 a------- c:\windows\system32\sbbd.exe
2009-08-20 17:09 <DIR> --d----- C:\VIPRERESCUE
2009-08-19 22:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-19 22:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-19 22:55 <DIR> --d----- c:\docume~1\tyler\applic~1\SUPERAntiSpyware.com
2009-08-19 22:45 <DIR> --d----- c:\docume~1\tyler\applic~1\AVG8
2009-08-19 22:42 74,240 a------- c:\windows\system32\uacbbr.dll
2009-08-19 21:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-19 21:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-19 21:10 19,968 a------- c:\windows\system32\uacserf.dll
2009-08-19 21:10 1,110,399 a------- c:\windows\system32\uacmal.db
2009-08-19 21:07 30,208 a------- c:\windows\system32\uacrem.dll
2009-08-19 21:07 <DIR> --d----- c:\program files\AV Care
2009-08-19 21:06 1,110,399 a------- c:\windows\system32\UACxkdnebccfq.db
2009-08-19 21:06 174 a------- c:\windows\system32\UACmbpxovrima.dat
2009-08-19 21:06 6,580 a------- c:\windows\system32\uacinit.dll
2009-08-19 21:06 74,240 a------- c:\windows\system32\UACrumpvvlnty.dll
2009-08-19 21:06 26,624 a------- c:\windows\system32\UACjbimxiiage.dll
2009-08-19 21:06 54,784 a------- c:\windows\system32\drivers\UACnevmjrrnos.sys
2009-08-19 21:05 36,963 a------- c:\windows\system32\net.net
2009-08-15 04:32 1,089,601 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-15 03:09 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-15 03:08 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 03:08 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 03:08 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-15 03:08 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 03:08 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-15 03:08 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 03:08 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-15 03:08 <DIR> --d----- C:\1e187cf0e111d989077dfe8e46395e
2009-08-15 03:02 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-12 18:53 <DIR> --d----- c:\program files\Codemasters
2009-08-11 18:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-01 20:13 <DIR> --d----- C:\Sshock2
2009-08-01 19:49 285 a------- c:\windows\EReg072.dat
2009-08-01 19:49 38,160 a------- c:\windows\system32\LMRTREND.dll
2009-08-01 19:49 140,800 a------- c:\windows\system32\tm20dec.ax
2009-08-01 19:49 182,032 a------- c:\windows\system32\dxtmsft3.dll
2009-08-01 19:48 63,488 a------- c:\windows\system32\unam4ie.exe
2009-08-01 19:48 11,776 a------- c:\windows\system32\mciqtz.drv
2009-08-01 19:48 10,240 a------- c:\windows\system32\vidx16.dll
2009-08-01 19:48 5,672 a------- c:\windows\system32\quartz.vxd
2009-08-01 19:48 194,320 a------- c:\windows\system32\qcut.dll
2009-08-01 19:48 4,608 a------- c:\windows\system32\w95inf32.dll
2009-08-01 19:48 2,272 a------- c:\windows\system32\w95inf16.dll
2009-08-01 18:51 <DIR> --d----- c:\program files\PeerGuardian2
2009-07-29 10:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-07-29 10:40 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-07-29 10:40 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-07-29 10:33 <DIR> --d----- c:\docume~1\tyler\applic~1\DAEMON Tools Lite
2009-07-24 16:48 0 a------- c:\windows\DXT19C.tmp
2009-07-24 16:48 0 a------- c:\windows\DXT19B.tmp
2009-07-24 16:48 0 a------- c:\windows\DXT19A.tmp
2009-07-24 16:48 0 a------- c:\windows\DXT199.tmp
2009-07-24 16:48 0 a------- c:\windows\DXT198.tmp
2009-07-24 16:48 0 a------- c:\windows\DXT197.tmp
2009-07-24 16:45 <DIR> --d----- C:\DeusEx

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 10:33 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 07:48 91,776 a------- c:\windows\system32\drivers\mqac.sys
2009-06-22 07:34 92,544 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-11 09:45 0 ----h--- C:\logwmemory.bin
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2008-07-29 02:26 0 ac------ c:\documents and settings\tyler\jagex_runescape_preferences.dat
2006-07-01 13:10 4,169 ac------ c:\program files\Necz.nfo
2003-10-21 14:07 230,455 a------- c:\program files\granny2.dll
2003-10-21 14:06 377,856 a------- c:\program files\binkw32.dll
1998-07-14 16:18 66 ac------ c:\program files\AUTORUN.INF

============= FINISH: 18:26:51.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:52 PM

Posted 29 August 2009 - 03:33 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.




Please download and run Win32kDiag:
Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

Please post the following logs in your next reply:

* Win32kDiag.txt
* Log.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users