Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.FakeAlert Infection After Dealing with MalwareDefense Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 HooblaDan

HooblaDan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 23 December 2009 - 10:35 AM

Howdy,

Yesterday the little brother decided to look at smut, and promptly infected our computer with an annoying program called Malware Defense. Tried safe mode avast, didn't work, uninstalled that, did some reading. After running rkill and using a randomly-generated malwarebytes .exe file, Malware Defense seems to be dead and gone from the computer. It doesn't launch all crazy at start-up and I've yet to see a return in the past three hours after I dealt with it. However, the HJT file seems to list Malware Defense as my AV, which is unsettling and suspicous.

However, Malwarebytes has also detected two Trojan.FakeAlert files, items "\\?\globalroot\systemroot\System32\H8SRTinrimeodbm.dll" and "\\?\globalroot\systemroot\System32\H8SRTinrimeodbm.dll". While the files have the same name, Malwarebytes lists one as a "memory module" and the other as a "file". I click on remove in Malwarebytes, restart, scan again, the infections are back. I noticed this infection file showed up as 'hidden from windows api' during one of the scans I ran for this HJT, but I've no idea what to do about it.

After running rootkit, I also received an error stating "Error - on-disk corruption detected - run chkdsk!"

The Trojan.FakeAlert does not appear to be doing anything clearly visible. I've read that it is supposed to spam you with fake anti-virus but it's not doing so at the moment and has not done so previously, so I'm not certain of how dangerous it actually is; regardless I'd like to be rid of it.

In addition, McAfee and Windows Security Center are unable to start. I'm not sure of how to fix either, and I'm not sure if they're related to the FakeAlert. I've tried two suggested Security Center fixes. One involving setting Security Center to automatic start-up in administrative tools > services. I was unable to find Security Center listed in services. The other fix was only for people who had a strangely-named applet in their control panels and involved tweakui, but I could not find said applet.

As another side, I noticed that a message about allocated size came up in another scan for this HJT regarding programs that I was installing as I ran the scans. Just in case it matters, I was installing those programs when the scan detected those size allotment problems.

For the moment, Windows Firewall is enabled.

Please help, ask for any additional information you need, and thank you kindly for your time.

EDIT: While I was installing three games while scanning, I will not install any other programs until advised by volunteers as requested. Apologies about installing while scanning.

-Daniel

DDS (Ver_09-12-01.01) - NTFSx86
Run by Mom at 6:51:53.42 on Wed 12/23/2009
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2040 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Malwarebytes' Anti-Malware\axFsFLUfH.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mom\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081105
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081105
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticfa.exe /fu "c:\windows\temp\E_S450B.tmp" /EF "HKCU"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [<NO NAME>]
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\users\mom\appdata\roaming\micros~1\windows\startm~1\programs\startup\impuls~1.lnk - c:\program files\stardock\impulse\now\ImpulseNow.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mom\appdata\roaming\mozilla\firefox\profiles\p25x5g96.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.roadrunner.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\mom\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-23 214664]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\cyberlink\powerdvd dx\000.fcl [2008-11-5 61424]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-11-5 73728]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-28 176128]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-24 93320]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2008-11-4 27648]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-23 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-23 144704]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-6 1153368]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-23 38224]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-23 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-23 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-23 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-23 40552]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]

=============== Created Last 30 ================

2009-12-23 14:02:13 8212 ----a-w- c:\windows\mfebcdata
2009-12-23 09:11:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-23 09:11:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 09:11:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 01:38:12 653 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-23 01:37:10 206 ----a-w- c:\windows\system32\srcr.dat
2009-12-20 10:14:12 0 d-----w- c:\program files\Runic Games
2009-12-20 08:33:54 0 d-----w- c:\users\mom\appdata\roaming\runic games
2009-12-20 00:05:13 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-12-20 00:05:13 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-12-20 00:05:12 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-12-20 00:05:12 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-20 00:05:12 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-12-20 00:05:12 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-12-20 00:05:11 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-12-20 00:05:11 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-12-20 00:05:10 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-12-17 09:07:22 0 d-----w- c:\program files\Celestia
2009-12-17 07:47:28 0 d-----w- c:\program files\Guild Wars
2009-12-16 18:38:09 0 d-----w- c:\program files\Everquest II
2009-12-15 23:46:46 0 d-----w- c:\program files\IrfanView
2009-12-15 04:26:41 0 d-----w- c:\program files\Indie Games
2009-12-12 07:18:33 0 d-----w- c:\program files\eGames
2009-12-11 01:56:38 0 d-----w- c:\programdata\WEBREG
2009-12-11 01:46:57 0 d-----w- c:\programdata\HP Product Assistant
2009-12-11 01:43:43 0 d-----w- c:\windows\hpojp8500a909
2009-12-11 01:42:55 0 d-----w- c:\program files\common files\HP
2009-12-11 01:41:50 271704 ----a-w- c:\windows\system32\hpzids01.dll
2009-12-11 01:37:53 188668 ----a-w- c:\windows\hpwins22.dat
2009-12-11 00:46:19 0 d-----w- c:\program files\common files\Hewlett-Packard
2009-12-11 00:45:02 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2009-12-11 00:44:51 966656 ----a-w- c:\windows\system32\hpwtiop4.dll
2009-12-11 00:44:51 741376 ----a-w- c:\windows\system32\hpwwiax5.dll
2009-12-11 00:44:51 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2009-12-11 00:44:51 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-12-11 00:44:51 294912 ----a-w- c:\windows\system32\hpovst11.dll
2009-12-11 00:43:39 0 d-----w- c:\program files\HP
2009-12-11 00:40:53 0 d-----w- c:\programdata\HP
2009-12-10 12:04:24 0 dc-h--w- c:\programdata\{E729B920-82B7-4745-BB91-ADFAE44EF2DC}
2009-12-09 11:04:02 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 11:04:01 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 11:04:01 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 03:12:42 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-07 02:51:14 0 d-----w- c:\program files\Wizards of the Coast
2009-12-05 10:40:30 0 d-----w- c:\users\mom\appdata\roaming\My Battle for Middle-earth™ II Files
2009-12-03 23:15:17 0 d-----w- c:\program files\Kalypso Media
2009-12-01 02:02:40 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-01 02:02:38 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-30 08:03:31 214504 ----a-w- c:\windows\system32\PnkBstrB.xtr
2009-11-30 07:59:33 139152 ----a-w- c:\users\mom\appdata\roaming\PnkBstrK.sys
2009-11-30 07:59:33 138936 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-30 07:59:13 214504 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-30 07:59:11 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-30 07:58:58 794408 ----a-w- c:\windows\system32\Pbsvc.exe
2009-11-27 21:51:59 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-11-26 11:01:20 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 16:43:25 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 16:43:25 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 16:43:23 714240 ----a-w- c:\windows\system32\timedate.cpl

==================== Find3M ====================

2009-12-19 21:54:04 23498 ----a-w- c:\users\mom\appdata\roaming\wklnhst.dat
2009-12-11 01:41:54 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-11 01:41:54 143360 ----a-w- c:\windows\inf\infstor.dat
2009-12-11 01:41:53 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-05 22:54:47 94283 ----a-w- c:\windows\War3Unin.dat
2009-11-29 12:27:55 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-29 12:27:55 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 14:22:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 14:22:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 14:22:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-06 18:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 18:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 00:29:51 624 ----a-w- c:\program files\World of Warcraft - Shortcut.lnk
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-27 15:48:56 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-09-18 23:58:22 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-18 23:58:22 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-09-18 23:58:22 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-11-05 09:29:03 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 6:53:05.76 ===============

Attached Files


Edited by HooblaDan, 23 December 2009 - 10:36 AM.


BC AdBot (Login to Remove)

 


#2 HooblaDan

HooblaDan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 31 December 2009 - 06:26 PM

Howdy, guys.

I know the list says not to bump, but the topic thread says it might take a few days and it's been a bit over a week, so I was wondering if this was left behind in a flurry of other topics or if I just put myself back in line another week.

Please let me know!

From reading the logs created by this website's programs and proccesses and looking at the corresponding file names in MalwareBytes, I think I see where the files are (all those H8SRTd things) but I have no idea how to make them actually show up so that I can get rid of them.

Edited by HooblaDan, 31 December 2009 - 06:31 PM.


#3 HooblaDan

HooblaDan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 02 January 2010 - 06:25 AM

Guys, I've moved on over to another tech support site that isn't so busy!

Thanks a bunch for all yall do, and please close it as per rules.

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:03:07 PM

Posted 04 January 2010 - 03:31 PM

Thanks for letting us know.
I'll now close this thread.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users