Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm/Malware that kills run, system restore, regedit...


  • This topic is locked This topic is locked
2 replies to this topic

#1 MajinFusion

MajinFusion

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 30 October 2009 - 12:22 AM

Earlier today a few friends were sending random MSN links to bogus " pictures " (unknowingly, of course), they're pretty clueless when it comes to comps. I thought I'd try to help them out with this. I've come across a few of these trojans/worms from msn before, but this is different:
It's a SCR file disguised as an image, once installed (opened), it takes you to the screensaver menu with 3d text of " I roxx0r " displaying for a second before closing and removing itself from the screensaver screen altogether.
The worm removes Run... (winkey+r says it was removed due to restrictions), disables Folder Options, turns off system restore, kills just about any program that attempts to touch the registry (HiJackThis is barely able to create/save a report, closes about 2 seconds after its opened). I ran Avast, nothing found, I tried Panda(2010) and even that won't open up properly, let alone attempt to run a scan.
Changing group policies won't work either, it will not give me enough time to change them before it forces it to exit out.
Safe mode seems to work to a certain extent, but whatever I manage to fix (get the run... option back, folder options, etc...), they seem to be removed within minutes of the next reboot and I have to start the process all over again.
I also get the following error whenever I plug in USB Device (magicJack): Exception PRocessing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c (this never ever happened before and no matter how nay times I hit cancel, try again, or continue, it will not disappear, not even if I remove the flash drive)

DDS REPORT:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 23:56:28.06 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1228 [GMT -6:00]


============== Running Processes ===============

C:\DOCUME~1\ADMINI~2\LOCALS~1\Temp\ISSCAN\PskSvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost -k Panda
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Panda Security\Panda Global Protection 2010\PskSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [InternetCalls] "c:\program files\internetcalls.com\internetcalls\InternetCalls.exe" -nosplash -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Windows Login Services] "c:\documents and settings\administrator\application data\s85-28348346-uit83-g3-72366-gdsg-1732735\winlogon.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [UniblueRegistryBooster] "launcher.exe" delay 20000
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Windows Login Services] "c:\documents and settings\administrator\application data\s85-28348346-uit83-g3-72366-gdsg-1732735\winlogon.exe"
mRun: [APVXDWIN] "c:\program files\panda security\panda global protection 2010\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda global protection 2010\Inicio.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [Windows Login Services] "c:\documents and settings\administrator\application data\s85-28348346-uit83-g3-72366-gdsg-1732735\winlogon.exe"
mExplorerRun: [Windows Login Services] "c:\documents and settings\administrator\application data\s85-28348346-uit83-g3-72366-gdsg-1732735\winlogon.exe"
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoRun = 1 (0x1)
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableCMD = 1 (0x1)
mPolicies-explorer: NoFolderOptions = 1 (0x1)
mPolicies-explorer: NoRun = 1 (0x1)
mPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-system: DisableCMD = 1 (0x1)
mPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
Trusted Zone: echostar.com\retailer
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://www.directvcoop.com/Reserved.ReportViewerWebControl.axd?ReportSession=42go3rrqkc22kpbaj2wfhpbx&ControlID=3d630e98f2004c51860505f116181ed4&Culture=1033&UICulture=1033&ReportStack=1&OpType=PrintCab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avldr - avldr.dll
Notify: PremierOpinion - c:\program files\premieropinion\pmls.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~2\applic~1\mozilla\firefox\profiles\oea7kl4a.default\
FF - component: c:\program files\premieropinion\components\pmxg.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\oea7kl4a.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: *xg.dll: {6E19037A-12E3-4295-8915-ED48BC341614} - c:\program files\PremierOpinion
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-10-29 28552]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2009-10-29 75016]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-1-22 13696]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2009-10-29 53128]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2009-10-29 22072]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2009-10-29 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2009-10-29 159112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2009-10-29 46728]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-2-5 117208]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda global protection 2010\psksvc.exe [2009-10-29 28928]
R2 PskSvcRetailInst;PskSvcRetailInst;c:\docume~1\admini~2\locals~1\temp\isscan\PskSvc.exe [2009-10-29 28928]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-12 24652]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-2-10 31704]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [2009-10-29 199432]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2009-1-7 299904]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

============== File Associations ===============

JSEFile=c:\progra~1\pandas~1\pandag~1\PavScrip.exe "%1" %*
VBEFile=c:\progra~1\pandas~1\pandag~1\PavScrip.exe "%1" %*
VBSFile=c:\progra~1\pandas~1\pandag~1\PavScrip.exe "%1" %*

=============== Created Last 30 ================

2052-07-05 01:46:34 647872 ----a-w- c:\windows\system32\mscomct2.ocx
2052-07-05 01:46:34 415176 ----a-w- c:\windows\system32\comct332.ocx
2052-07-05 01:46:34 209608 ----a-w- c:\windows\system32\tabctl32.ocx
2052-07-05 01:46:34 140288 ----a-w- c:\windows\system32\comdlg32.ocx
2009-10-30 05:15:38 0 d-----w- c:\docume~1\admini~2\applic~1\Uniblue
2009-10-30 05:15:32 0 d-----w- c:\program files\Uniblue
2009-10-30 05:09:33 0 d-----w- c:\program files\Trend Micro
2009-10-30 05:04:40 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-10-30 05:04:19 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-30 05:04:19 0 d-----w- c:\docume~1\admini~2\applic~1\SUPERAntiSpyware.com
2009-10-30 05:04:11 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-30 04:33:29 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Backup
2009-10-30 04:33:08 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Panda Security
2009-10-30 04:33:08 0 d-----w- c:\docume~1\admini~2\applic~1\Panda Security
2009-10-30 04:15:22 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-30 04:14:44 0 d-----w- c:\program files\Panda Security
2009-10-30 03:09:12 426 --sha-r- c:\documents and settings\administrator\ntuser.pol
2009-10-30 02:30:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-30 01:51:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 01:51:50 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-10-30 01:49:42 0 d-----w- c:\program files\EventLog Inspector 2
2009-10-30 01:49:42 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SnmpSoft
2009-10-30 01:45:53 0 d-----w- c:\documents and settings\administrator\DoctorWeb
2009-10-30 01:43:45 0 d-----w- c:\docume~1\admini~2\applic~1\Malwarebytes
2009-10-30 01:43:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 01:43:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 01:43:39 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-10-30 01:43:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 01:33:44 0 d--h--w- c:\windows\system32\GroupPolicy
2009-10-30 01:22:55 0 d-sh--w- c:\docume~1\admini~2\applic~1\S85-28348346-UIT83-G3-72366-GDSG-1732735
2009-10-29 19:03:17 0 d-----w- c:\program files\Recovery Toolbox for Word
2009-10-29 18:56:25 0 d-----w- c:\program files\MSECache
2009-10-26 16:13:13 532480 ----a-w- c:\windows\system32\Carve-O-Lantern.scr
2009-10-26 16:13:13 0 d-----w- c:\windows\system32\Carve-O-Lantern dir
2009-10-26 16:12:44 0 d-----w- c:\program files\PremierOpinion
2009-10-26 16:12:35 97 ----a-w- c:\windows\3dhallpumpkin.ini
2009-10-26 16:12:35 69632 ----a-w- c:\windows\3D Halloween Pumpkin.scr
2009-10-26 16:12:35 1839168 ----a-w- c:\windows\system32\truevision3d.dll
2009-10-26 16:12:35 1036288 ----a-w- c:\windows\system32\tvutil62.dll
2009-10-26 16:12:35 0 d-----w- c:\windows\acezsoftware
2009-10-26 16:12:35 0 d-----w- c:\program files\3D Halloween Pumpkin Screen Saver 1.0
2009-10-26 16:12:18 0 d-----w- c:\program files\www_screensavers_com
2009-10-26 02:13:05 0 d-----w- c:\program files\FullScreensavers.com
2009-10-15 14:25:50 0 d-----w- c:\documents and settings\administrator\Livestation
2009-10-15 14:25:50 0 d-----w- c:\docume~1\admini~2\applic~1\Mchid
2009-10-15 14:25:50 0 d-----w- c:\docume~1\admini~2\applic~1\Livestation
2009-10-15 14:25:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-15 14:25:44 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-15 14:25:44 0 d-----w- c:\program files\OpenAL
2009-10-15 14:25:39 0 d-----w- c:\program files\Livestation
2009-10-05 01:43:33 0 d-----w- c:\program files\Microsoft
2009-10-03 14:51:36 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-03 14:48:28 0 d-----w- c:\program files\3Deep Space
2009-10-01 22:09:06 0 d-----w- c:\program files\EmoticonMadeEasy
2009-10-01 18:17:21 0 d-----w- c:\program files\NetDog

==================== Find3M ====================

2009-10-30 04:33:53 198376 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2009-10-30 04:33:53 198376 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2009-10-30 04:33:53 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2009-10-30 04:33:53 1132 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2009-10-01 05:07:44 75016 ----a-w- c:\windows\system32\drivers\APPFLT.SYS
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 16:29:18 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
2009-09-07 17:54:22 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-09-07 17:26:14 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-04 23:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 23:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 23:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 23:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 23:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 23:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 23:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 23:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 05:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-15 16:28:58 5607 ----a-w- c:\windows\~GLH0001.TMP
2009-08-15 16:28:57 104688 ----a-w- c:\windows\~GLC0001.TMP
2009-08-15 16:28:04 5607 ----a-w- c:\windows\~GLH0000.TMP
2009-08-15 16:28:03 104688 ----a-w- c:\windows\~GLC0000.TMP
2009-08-07 01:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 01:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-05-31 15:14:50 108056 ----a-w- c:\program files\common files\secman.dll
2006-03-12 01:09:30 626176 ----a-w- c:\program files\common files\osmax.ocx
2009-02-15 17:24:30 88 --sh--r- c:\windows\system32\1803F96448.sys
2009-07-14 04:08:16 3454 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:57:08.81 ===============


I hope you guys can help me with this tricky little thing :(
I also still have the original file that "caused" all this in case anyone can examine that directly. (moved it to a spare flash drive in case it needed to be looked at directly)

Thank you :(

Attached Files


Edited by MajinFusion, 30 October 2009 - 12:24 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:29 AM

Posted 05 November 2009 - 08:06 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:29 AM

Posted 08 November 2009 - 04:51 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users