Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SHeur2, Cutwail, Spy.Zbot, TDSServ, Downloader.Generic, etc...


  • This topic is locked This topic is locked
2 replies to this topic

#1 carissa_lee_

carissa_lee_

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oregon
  • Local time:09:57 AM

Posted 15 October 2009 - 05:50 PM

This is on my coworker's computer. I removed the "AntiVirus Pro" from his computer with this forum's help about a year ago. I then put AVG and Malwarebytes' on his computer, set up regular AVG scans, and showed him how to update and scan MBAM. We don't use our computers for much else than work, so I assumed this was sufficient. Since he said he had been doing regular scans and updates for MBAM, I assumed his computer was ok and I didn't think to check it.

AVG's Resident Shield alerted first to the threat Trojan horse SHeur2.BJJW. I told him to run MBAM, he did. Reboot and didn't get rid of it. I took over and realized MBAM needed an update, which I did, and rescanned. Found more, reboot, scanned again after reboot. Right after reboot, MRT.exe popped up and told me to use that to scan. After dealing with many lovely fake anti-virus programs pretending to be Windows or Microsoft software, I looked around and found out that was ok, and used it to scan. Said it found one, but couldn't remove it fully. In short, didn't get rid of them. Downloaded Spyware Doctor (trial), scanned, and found a bunch more. I have no idea how to post Spyware Doctor's logs (or if I can) so I just took a screenshot.

At this point I have disconnected the computer from the internet and stopped using it. I do have a flash drive to transfer setup files from my computer to his if needed.

Here are some logs:
AVG:

"Scan ""Scheduled scan"" was finished."
"Infections";"1";"0";"1"
"Warnings";"9"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Tuesday, October 13, 2009, 1:00:01 AM"
"Scan finished:";"Tuesday, October 13, 2009, 3:16:08 AM (2 hour(s) 16 minute(s) 7 second(s))"
"Total object scanned:";"405461"
"User who launched the scan:";"SYSTEM"

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q7C5A1JM\x[1].exe";"Trojan horse SHeur2.BJJV";"Infected"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"


First MBAM scan:

Malwarebytes' Anti-Malware 1.28
Database version: 1234
Windows 5.1.2600 Service Pack 3

10/13/2009 9:30:19 AM
mbam-log-2009-10-13 (09-30-19).txt

Scan type: Quick Scan
Objects scanned: 80070
Time elapsed: 14 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\z9a6gckrj.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


Second MBAM scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/14/2009 12:11:51 PM
mbam-log-2009-10-14 (12-11-51).txt

Scan type: Quick Scan
Objects scanned: 139270
Time elapsed: 27 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 7
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.


Third:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/14/2009 6:52:47 PM
mbam-log-2009-10-14 (18-52-42).txt

Scan type: Quick Scan
Objects scanned: 41481
Time elapsed: 12 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Spyware Doctor ss: http://i35.tinypic.com/aeulua.jpg
(wasn't sure if I'm allowed to post pics so I just linked it instead)

And, for good measure, a ss of the AVG virus vault. Apparently the first one was downloaded awhile ago. I guess I need to pay more attention to his computer.
http://i37.tinypic.com/2mrd0uo.jpg

Oh, I don't know if this is necessary, but these programs were running on his computer. When I looked them up, these were the suspicious ones:
7.tmp
C.tmp


***edit***
I read over the other link and downloaded DDS and RootScan and put them on his computer and scanned. The problem I had though is that RootRepeal froze halfway through the scan. I don't know if that's a typical issue or if it's a complication due to the virus. I can try to run it again if you want, just let me know. I didn't want to keep trying to blindly run the scan with no outcome. I'll leave the rest of my post as it is, in case it helps...

DDS:

DDS (Ver_09-10-13.01) - NTFSx86
Run by Administrator at 12:01:42.35 on Thu 10/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\a420rzr.dll: {a249bc15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\a420rzr.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127349677093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-14 18:25 15,000 a------- c:\windows\system32\z35wp3uwo.dll
2009-10-14 18:23 38 a------- C:\F.tmp
2009-10-14 18:23 64,000 a------- C:\7.tmp
2009-10-14 17:51 1,636,304 a------- c:\windows\PCTBDCore.dll
2009-10-14 17:51 1,152,470 a------- c:\windows\UDB.zip
2009-10-14 17:51 767,952 a------- c:\windows\BDTSupport.dll
2009-10-14 17:51 165,840 a------- c:\windows\PCTBDRes.dll
2009-10-14 17:51 149,456 a------- c:\windows\SGDetectionTool.dll
2009-10-14 17:51 882 a------- c:\windows\RegSDImport.xml
2009-10-14 17:51 880 a------- c:\windows\RegISSImport.xml
2009-10-14 17:51 131 a------- c:\windows\IDB.zip
2009-10-14 17:36 229,304 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-10-14 17:36 7,387 a------- c:\windows\system32\drivers\pctgntdi.cat
2009-10-14 17:35 207,280 a------- c:\windows\system32\drivers\PCTCore.sys
2009-10-14 17:35 87,784 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-14 17:35 7,412 a------- c:\windows\system32\drivers\PCTAppEvent.cat
2009-10-14 17:35 7,383 a------- c:\windows\system32\drivers\pctcore.cat
2009-10-14 17:35 70,408 a------- c:\windows\system32\drivers\pctplsg.sys
2009-10-14 17:35 7,383 a------- c:\windows\system32\drivers\pctplsg.cat
2009-10-14 17:35 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-14 17:35 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-14 17:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-14 17:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-10-14 15:47 38 a------- C:\8.tmp
2009-10-14 15:47 64,000 a------- C:\4.tmp
2009-10-14 14:24 <DIR> --d----- c:\windows\ERUNT
2009-10-14 14:21 38 a------- C:\6.tmp
2009-10-14 14:21 0 a------- C:\5.tmp
2009-10-14 14:21 64,000 a------- C:\2.tmp
2009-10-14 14:18 <DIR> --d----- C:\SDFix
2009-10-14 14:17 <DIR> --d----- C:\ComboFix
2009-10-14 14:17 389,120 a------- c:\windows\system32\CF32623.exe
2009-10-14 14:13 389,120 a------- c:\windows\system32\cmd.execf
2009-10-14 11:52 217 a------- c:\windows\system32\MRT.INI
2009-10-13 09:32 15,000 a------- c:\windows\system32\uxxnk5f.dll
2009-10-13 09:32 38 a------- C:\17.tmp
2009-10-13 09:32 64,000 a------- C:\13.tmp
2009-10-13 09:12 38 a------- C:\15.tmp
2009-10-13 09:12 15,000 a------- c:\windows\system32\colusv3mi.dll
2009-10-13 09:12 64,000 a------- C:\10.tmp
2009-10-12 11:26 38 a------- C:\14.tmp
2009-10-12 11:26 64,000 a------- C:\12.tmp
2009-10-12 08:30 38 a------- C:\1B.tmp
2009-10-12 08:30 64,000 a------- C:\19.tmp
2009-10-12 08:30 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-10-02 09:08 195,440 -------- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-10-12 08:30 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-09-11 07:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 07:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 14:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 14:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 09:11 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 09:10 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 03:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 03:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-26 22:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe
2009-08-26 22:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 01:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 01:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 08:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 08:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 07:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 07:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 07:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-05-19 09:09 38,680 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2008-09-05 13:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 12:09:00.48 ===============


I attached the "attach" file from the DDS scan.



Thanks in advance for help.

Attached Files


Edited by carissa_lee_, 15 October 2009 - 05:55 PM.


BC AdBot (Login to Remove)

 


#2 carissa_lee_

carissa_lee_
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oregon
  • Local time:09:57 AM

Posted 20 October 2009 - 12:49 PM

You can lock/close this now. I fixed it.

Thanks though!

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:57 AM

Posted 23 October 2009 - 08:41 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users