Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sandboxie/MyWebTatoo/AVScan


  • This topic is locked This topic is locked
4 replies to this topic

#1 sches

sches

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 07 January 2010 - 11:15 PM

Hello:

Three logons are on this laptop - two for teenagers, one for parents. One teen logon was infected with AVScan trojan/virus after downloading files - the computer was then shut off. Unknowingly, we (parents) logged on and we were immediately attacked by this scanner. We reset the sytem and logged on to safe mode where we scanned with MBAM, SuperAntiSpyware, and A-squared as per ZoneAlarm Malware Forum. We then reset to normal mode and rescan with the abovementioned. We cannot find the logs but remember seeing sandboxie, mywebtatoo, and AVscan

Although system seems cleaned, we find that the two infected logons are unable to gain HTTP access. The one teen logon that did not have contact with the trojan/virus does seem to have full network access.

BTW, we are running SSPro - System Surveillance Pro purchased and licensed from http://www.gpsoftdev.com/ , so this should not be thought of as a malicious program.

We are lost for a solution and truly appreciate your advice.

Thank you and Best regards,
sches


DDS (Ver_09-12-01.01) - FAT32x86
Run by Shawn at 22:27:17.81 on Thu 01/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1366 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\svcwinra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\resfilter32.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Shawn\My Documents\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {07058ec3-5152-44f9-9f14-c63ea0c1fef6} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: {D86FC822-4D87-4878-BF27-47DB8D1D59B0} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0626A63-410B-45E2-99A1-3F2475B2D695} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [LaunchApp] Alaunch
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [PC Pitstop Optimize Scheduler] c:\program files\pcpitstop\optimize\PCPOptimize.exe -boot
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [zdrinit] c:\windows\svcwinra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [ZAFFRegisterTrustChecker] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustChecker.dll"
dRunOnce: [ZAFFRegisterTrustCheckerIE] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\AGRemind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\person~1.lnk - c:\program files\broderbund\mavis beacon teaches typing 15\minimavis.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226347949515
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {BDA70B08-C44E-48AB-BAEC-F119CE92223B} - hxxp://www.pjtv.com/player/player_ocx.jpeg
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: pmnNEtur - pmnNEtur.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJArqNH
Hosts: 195.245.119.131 browser-security.microsoft.com

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-11-10 5632]
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-28 128016]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-6 486280]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-1-3 1858144]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-2-12 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-2-12 476528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-20 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-2-12 35448]
R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [2008-11-10 82888]
S3 IPN2220;acer IPN2220 Wireless LAN Card Driver;c:\windows\system32\drivers\i2220ntx.sys [1980-1-1 160896]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [2008-11-10 53690]

=============== Created Last 30 ================

2010-01-08 02:49:58 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-01-08 02:48:59 5376 ----a-w- c:\windows\system32\dllcache\viaide.sys
2010-01-08 02:47:56 50688 ----a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-01-08 02:46:57 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2010-01-08 02:45:59 30688 ----a-w- c:\windows\system32\dllcache\sym_u3.sys
2010-01-08 02:44:59 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2010-01-08 02:43:59 33792 ----a-w- c:\windows\system32\dllcache\smb0w.dll
2010-01-08 02:42:58 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2010-01-08 02:41:59 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-01-08 02:40:59 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2010-01-08 02:39:59 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2010-01-08 02:38:58 41984 ----a-w- c:\windows\system32\dllcache\ovui2rc.dll
2010-01-08 02:37:56 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-01-08 02:36:57 128000 ----a-w- c:\windows\system32\dllcache\n100325.sys
2010-01-08 02:35:56 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2010-01-08 02:34:58 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2010-01-08 02:33:59 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2010-01-08 02:32:59 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys
2010-01-08 02:31:59 123392 ----a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2010-01-08 02:30:58 43520 ----a-w- c:\windows\system32\dllcache\OLD301.tmp
2010-01-08 02:29:59 19996 ----a-w- c:\windows\system32\dllcache\OLD2B6.tmp
2010-01-08 02:28:59 91305 ----a-w- c:\windows\system32\dllcache\dimaint.sys
2010-01-08 02:27:59 249856 ----a-w- c:\windows\system32\dllcache\ctmasetp.dll
2010-01-08 02:26:59 66082 ----a-w- c:\windows\system32\dllcache\OLD147.tmp
2010-01-08 02:25:59 7424 ----a-w- c:\windows\system32\dllcache\adicvls.sys
2010-01-04 07:06:53 0 d-----w- c:\program files\CCleaner
2010-01-03 19:06:30 0 d-----w- c:\program files\a-squared Free
2009-12-19 03:23:41 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-12-19 03:23:41 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-12-19 02:44:48 0 d-----w- C:\iLeadDVD
2009-12-18 04:47:53 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-12-18 04:47:27 0 d-----w- c:\program files\AVS4YOU
2009-12-18 04:45:29 0 d-----w- c:\program files\common files\AVSMedia
2009-12-18 04:44:59 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-12-18 04:44:59 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-12-18 04:44:59 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-12-18 04:44:59 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-17 06:06:13 797696 ----a-w- c:\windows\svcwinra.exe
2009-12-17 06:06:13 6496256 ----a-w- c:\windows\sspro.exe
2009-12-17 06:06:13 605696 ----a-w- c:\windows\mdiwinsvr.exe
2009-12-17 06:06:13 566784 ----a-w- c:\windows\lsemanager.exe
2009-12-17 06:06:13 397824 ----a-w- c:\windows\resfilter32.exe
2009-12-17 06:06:13 304128 ----a-w- c:\windows\msatools64.dll
2009-12-17 06:06:13 296448 ----a-w- c:\windows\perfsysdeam.dll
2009-12-17 06:06:13 2469 ----a-w- c:\windows\swn32reg.dll
2009-12-17 06:06:13 0 ----a-w- c:\windows\ssprb32wl.dll
2009-12-17 06:06:13 0 ----a-w- c:\windows\sspra32wl.dll
2009-12-17 06:06:13 0 ----a-w- c:\windows\sp32snwl.dll
2009-12-17 05:43:41 453632 ----a-w- c:\windows\system32\SetACL.ocx

==================== Find3M ====================

2010-01-08 02:33:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-10-28 14:40:48 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\dllcache\http.sys
2009-10-17 05:39:40 72584 ----a-w- c:\windows\zllsputility.exe
2009-10-17 05:39:32 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:20 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:20 149504 ----a-w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-02-06 06:28:24 40799 --sha-w- c:\windows\system32\HNqrAJlm.ini2
2008-12-28 23:36:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122820081229\index.dat

============= FINISH: 22:29:10.90 ===============

Attached Files


Edited by sches, 08 January 2010 - 05:58 AM.


BC AdBot (Login to Remove)

 


#2 sches

sches
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 10 January 2010 - 10:45 PM

Hello:

We were able to access the MBAM logs. We hope the following will help.

Thank you and Best regards,
sches

Malwarebytes' Anti-Malware 1.43
Database version: 3489
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/3/2010 5:23:01 PM
mbam-log-2010-01-03 (17-23-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 309946
Time elapsed: 34 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weimfbxu (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Thea\Local Settings\Temp\pdfupd.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thea\Local Settings\Temporary Internet Files\Content.IE5\4O11KSU9\instRLS[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thea\Local Settings\Application Data\srwled\jxousysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:17 AM

Posted 14 January 2010 - 03:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 sches

sches
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 14 January 2010 - 07:05 PM

We appreciate your reply. However, we went nuclear and have already begun to wipe the drive and reload system and data files.

Please delete this topic when you have the opportunity.

Thank you and Best regards,
sches

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:17 AM

Posted 14 January 2010 - 07:10 PM

Since this topic appears to be resolved, I will now close it. Thanks for letting us know! smile.gif

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users