Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Small.BVI and Trojan Horse SpamTool.EVL


  • This topic is locked This topic is locked
3 replies to this topic

#1 zedmaestro

zedmaestro

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 20 December 2009 - 05:46 AM

Hi
I have an infection with Trojan Horse Small.BVI and Trojan Horse SpamTool.EVL. AVG 9.0 Free Resident Shield reports the infection in the file C:\Windows\Temp\****.tmp\svchost.exe (**** seems to be a random combination of characters, eg xurk). I removed the unhealed infections and the threat disappears, but at some point later the threat reappears. I know that svchost.exe is a system file and theres typically about 10 instances of it running in the Task Manager, but CPU usage appears fine.

Things Ive noticed:
* This happens only when my laptop is connected to the internet as Ive not received any threat while offline.
* The two trojans are detected by AVG at almost exactly the same time.
* I have run Super Anti Spyware, MalwareBytes, AVG, SpyBot Search & Destroy, Dr.Web CureIt, and Temp File Cleaner (TFC.exe). These detect a threat but are unable to prevent it happening again.

I have attached the Attach.txt and Ark.txt as requested, and a hijackthis.txt too.
Any help would be much appreciated!

Below is my DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Will at 14:07:27.16 on 20/12/2009
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.988 [GMT 4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Function Key Controller\FKC.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Windows\system32\UI0Detect.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Will\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alienware.co.uk/Mothership?Comp=AWEU&SysCode=PC-EU-LT-A51M9750&ai=636E3D4532333831363826706F3D4532313136383941
uWindow Title = Windows Internet Explorer provided by Alienware
uDefault_Page_URL = hxxp://www.alienware.co.uk/Mothership?Comp=AWEU&SysCode=PC-EU-LT-A51M9750&ai=636E3D4532333831363826706F3D4532313136383941
mDefault_Page_URL = hxxp://www.alienware.co.uk/Mothership?Comp=AWEU&SysCode=PC-EU-LT-A51M9750&ai=636E3D4532333831363826706F3D4532313136383941
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [FunctionKeyCtrl] c:\program files\function key controller\FKC.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {1422890B-C5A7-479F-BEF5-757FDABEB7EB} = 10.4.128.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\will\appdata\roaming\mozilla\firefox\profiles\7a1o2avx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\users\will\appdata\roaming\mozilla\firefox\profiles\7a1o2avx.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-12-16 28552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-26 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-26 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-4 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-4 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-8 1153368]
R3 CXSONORA;AVerMedia 23885 AvStream Video Capture;c:\windows\system32\drivers\A885VCap.sys [2008-1-21 736000]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-6-3 4233728]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-21 21504]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-10-6 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-10-6 8320]
S3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\drivers\RTL85n86.sys [2006-11-2 311808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-20 04:43:32 0 d-----w- c:\program files\TrendMicro
2009-12-16 10:04:31 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-16 10:04:08 0 d-----w- c:\program files\Panda Security
2009-12-16 05:50:47 0 d-----w- c:\users\will\DoctorWeb
2009-12-16 05:13:55 49 ----a-w- c:\windows\wininit.ini
2009-12-16 04:13:15 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-16 04:12:56 0 d-----w- c:\users\will\appdata\roaming\SUPERAntiSpyware.com
2009-12-16 04:12:56 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 18:35:05 0 d-----w- c:\users\will\appdata\roaming\Malwarebytes
2009-12-15 18:35:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 18:35:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 18:35:00 0 d-----w- c:\programdata\Malwarebytes
2009-12-15 18:35:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 17:26:44 0 d--h--w- c:\users\will\Tracing
2009-12-09 04:52:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 04:51:58 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 04:51:58 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 04:47:47 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 04:47:02 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 19:40:13 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-08 19:40:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-08 18:15:51 0 d-----w- c:\program files\GetData
2009-12-08 17:54:52 0 d-----w- c:\program files\DiskInternals
2009-12-08 17:21:57 0 d-sh--w- c:\users\will\Phone Browser
2009-12-08 10:37:52 0 d-----w- c:\program files\common files\PCSuite
2009-12-08 10:36:45 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-12-08 10:36:25 0 d-----w- c:\program files\PC Connectivity Solution
2009-12-07 17:51:49 0 d-----w- c:\programdata\Nokia
2009-12-07 17:24:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-12-07 17:20:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-12-07 17:19:55 0 d-----w- c:\programdata\PC Suite
2009-12-07 17:18:28 0 d-----w- c:\program files\common files\Nokia
2009-12-07 17:12:28 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-12-07 17:12:27 0 d-----w- c:\program files\Nokia
2009-12-07 16:34:53 0 d-----w- c:\programdata\Installations
2009-12-07 16:32:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-29 04:50:38 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-29 04:49:30 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-29 04:49:30 1401856 ----a-w- c:\windows\system32\msxml6(492).dll
2009-11-29 04:49:29 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-29 04:49:29 1248768 ----a-w- c:\windows\system32\msxml3(491).dll
2009-11-29 04:49:26 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-20 18:55:02 0 d-----w- c:\program files\Microsoft
2009-11-20 18:54:46 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-20 18:43:01 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-12-20 04:32:47 569538 ----a-w- c:\programdata\nvModes.dat
2009-12-20 04:32:45 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-12-18 11:13:39 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-13 18:32:31 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-13 18:32:31 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-08 10:38:58 143360 ----a-w- c:\windows\inf\infstor.dat
2009-12-08 10:04:52 350192 ---ha-w- c:\windows\system32\drivers\vsconfig(587).xml
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-10 11:25:10 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-04 15:01:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-04 15:01:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-02 16:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 16:20:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2009-11-01 16:20:17 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-10-28 20:28:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-28 20:28:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-22 15:43:03 87608 ----a-w- c:\users\will\appdata\roaming\inst.exe
2009-10-22 15:43:03 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-22 15:43:03 47360 ----a-w- c:\users\will\appdata\roaming\pcouffin.sys
2009-10-12 23:26:05 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc(494).dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 18:08:22 53792 ----a-w- c:\windows\system32\RtkCoInst.dll
2009-10-06 18:08:22 1352736 ----a-w- c:\windows\system32\RtkPgExt.dll
2009-10-06 18:08:16 338464 ----a-w- c:\windows\system32\RtkApoApi.dll
2009-10-06 18:08:16 2791456 ----a-w- c:\windows\system32\RtkAPO.dll
2009-10-06 07:55:50 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-10-06 07:52:46 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi(500).dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-30 21:49:42 149800 ----a-w- c:\users\will\appdata\roaming\nvModes.dat
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs(514).dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool(516).drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-24 18:40:28 280576 ----a-w- c:\windows\system32\FMAPO.dll
2008-03-21 13:51:46 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:08:37.74 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:32 AM

Posted 03 January 2010 - 06:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 zedmaestro

zedmaestro
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 03 January 2010 - 06:16 AM

Hi
Thanks for getting back to me. I have since fixed the problem by using the Alienware Respawn tool. A factory-settings system was restored and the original system put away in a backup folder. I switched from AVG Free and ZoneAlarm to Comodo Internet Security. When I started clearing out the backup folder it found the infection was in the Windows\System32\ files below:

winmow.exe with Heur.Packed.Unknown
psuninst2.exe with Heur.Packed.Unknown
OEM\OSCust.exe with Unclassified Malware

So the problem is gone. Thanks though!

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:32 AM

Posted 03 January 2010 - 06:21 AM

Hi,

many thanks for letting me know! :(

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users