Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sophisticated Attack - Please Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 drgrass

drgrass

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 23 January 2010 - 10:47 AM

System is Toshiba W7 64 Home Premium.

Yesterday I received something like 50 e-mails that landed in my junk e-mail folder of Outlook 2007. I clicked on the junk e-mail folder to display the contents of the folder and saw that all the e-mails had a subject containing the word "root." I did not click on any of the individual e-mails. I did not have preview turned on or any reading panes open. My inbound e-mails display in HTTP format. I immediately deleted the contents of the junk e-mail folder.

My G-data firewall scanner immediately reported that my computer had been scanned. I went home, did an Acronis restore of my complete hard drive to a prior day before the infection and went to bed.

This morning the same thing happened again. Another 50 e-mails. Another warning my computer had been scanned. The G-data antivirus log showed no viruses were detected in the incoming e-mails.

The G-data firewall log showed an inboard port scan on TCP ports 51395-51442 which were all blocked. The originator of the scans was identified as IP 92.46.53.183 from c3.skilltex.kz.

A Shields-up scan showed no open ports on my system (probably blocked by my router, I didn't try bypassing the router) and no open ports in that range that was scanned.

About 20 minutes later, I returned to the firewall log and all entries pertaining to the port scans were gone. Time stamped entries on both sides of those warnings were still there.

I ran an online virus scan using Norton's online scanning tools (security and antivirus) and nothing showed up. I reran G-data's full computer scan and nothing showed up. A google search showed some Russian(?) text surrounding this kz domain, but nothing definitive as to what this is about.

Don

------------------------------------

Here is the DSS.txt:


DDS (Ver_09-12-01.01) - NTFSX64
Run by Don at 9:38:55.00 on Sat 01/23/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4059.1484 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SysWOW64\brsvc01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Windows\SysWOW64\brss01a.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files (x86)\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files (x86)\G Data\InternetSecurity\AVK\AVKService.exe
C:\Program Files (x86)\G Data\InternetSecurity\AVK\AVKWCtlX64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\OBV Residential Suite\aua\bin\Aua.exe
C:\Program Files\OBV Residential Suite\aua\jvm\bin\auaJW.exe
C:\Program Files\OBV Residential Suite\bin\CDPService64.exe
C:\Program Files\OBV Residential Suite\bin\CDPService64.exe
C:\Windows\system32\conhost.exe
C:\Program Files\OBV Residential Suite\bin\Scheduler.exe
C:\Program Files\OBV Residential Suite\jvm\bin\bschJW.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files (x86)\Common Files\G DATA\GDScan\GDScan.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\G Data\InternetSecurity\Firewall\GDFwSvcx64.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\OBV Residential Suite\bin\SystemTray64.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\G Data\InternetSecurity\Firewall\GDFirewallTray.exe
C:\Program Files (x86)\G Data\InternetSecurity\AVKTray\AVKTray.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Windows\System32\wiawow64.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\TrueCrypt\TrueCrypt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\prevhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
F:\Downloaded System Restore Apps\Hijack this 2.0.2\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files (x86)\g data\internetsecurity\webfilter\AVKWebIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\roboform.dll
TB: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files (x86)\g data\internetsecurity\webfilter\AVKWebIE.dll
uRun: [RoboForm] "c:\program files (x86)\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [TrueImageMonitor.exe] c:\program files (x86)\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files (x86)\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [GDFirewallTray] c:\program files (x86)\g data\internetsecurity\firewall\GDFirewallTray.exe
mRun: [G DATA AntiVirus Trayapplication] c:\program files (x86)\g data\internetsecurity\avktray\AVKTray.exe
mRun: [Adobe Photo Downloader] "c:\program files (x86)\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [TWebCamera] "c:\program files (x86)\toshiba\toshiba web camera application\TWebCamera.exe" autorun
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files (x86)\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\scansn~1.lnk - c:\program files (x86)\pfu\scansnap\driver\PfuSsMon.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files (x86)\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files (x86)\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files (x86)\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files (x86)\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files (x86)\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
BHO-X64: G Data WebFilter: {0124123D-61B4-456f-AF86-78C53A0790C5} - c:\program files (x86)\g data\internetsecurity\webfilter\AVKWebIEx64.dll
BHO-X64: G Data WebFilter Class - No File
TB-X64: G Data WebFilter: {0124123D-61B4-456f-AF86-78C53A0790C5} - c:\program files (x86)\g data\internetsecurity\webfilter\AVKWebIEx64.dll
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
mRun-x64: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun-x64: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun-x64: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun-x64: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun-x64: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun-x64: [Acronis Scheduler2 Service] "c:\program files (x86)\common files\acronis\schedule2\schedhlp.exe"
mRun-x64: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun-x64: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun-x64: [OBASystemTray] "c:\program files\obv residential suite\bin\SystemTray64.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\don\appdata\roaming\mozilla\firefox\profiles\0o02cgpd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files (x86)\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
FF - component: c:\program files (x86)\siber systems\ai roboform\firefox\components\rfproxy_31.dll

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2009-11-21 34760]
R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2009-12-3 52856]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2009-11-21 1477728]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2009-6-29 34880]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2009-6-29 14784]
R1 gdwfpcd;G DATA WFP CD;c:\windows\system32\drivers\gdwfpcd64.sys [2009-11-21 48584]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2009-11-25 106224]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files (x86)\common files\acronis\cdp\afcdpsrv.exe [2009-11-21 2480048]
R2 AVKProxy;G Data AntiVirus Proxy;c:\program files (x86)\common files\g data\avkproxy\AVKProxy.exe [2009-12-20 1053768]
R2 AVKService;G Data Scheduler;c:\program files (x86)\g data\internetsecurity\avk\AVKService.exe [2009-8-12 397896]
R2 AVKWCtl;G Data Filesystem Monitor;c:\program files (x86)\g data\internetsecurity\avk\AVKWCtlX64.exe [2009-12-20 1731504]
R2 OBAAutoUpdate;AutoUpdateAgent (OBV Residential Suite);c:\program files\obv residential suite\aua\bin\Aua.exe [2009-12-25 73728]
R2 OBACDPService;Continuous Data Protection (OBV Residential Suite);c:\program files\obv residential suite\bin\CDPService64.exe [2009-12-25 360448]
R2 OBAScheduler;Online Backup Scheduler (OBV Residential Suite);c:\program files\obv residential suite\bin\Scheduler.exe [2009-12-25 77824]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys [2009-11-21 60416]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe64.sys [2009-11-21 81408]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys [2009-11-21 55808]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2009-11-21 251488]
R3 GDFwSvc;G Data Personal Firewall;c:\program files (x86)\g data\internetsecurity\firewall\GDFwSvcx64.exe [2009-12-20 1664560]
R3 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2009-11-21 74184]
R3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [2009-11-21 57288]
R3 GDScan;G Data Scanner;c:\program files (x86)\common files\g data\gdscan\GDScan.exe [2009-12-20 302152]
R3 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2009-11-21 42952]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-10 5434368]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-12-24 35008]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-6-10 187392]

=============== Created Last 30 ================

2010-01-23 14:48:11 0 d-----w- c:\program files (x86)\Trend Micro
2010-01-23 12:58:51 0 d--h--w- c:\windows\AxInstSV
2010-01-21 22:49:59 5961728 ----a-w- c:\windows\syswow64\mshtml.dll
2010-01-21 22:49:59 10976768 ----a-w- c:\windows\syswow64\ieframe.dll
2010-01-21 22:49:58 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-01-21 22:49:58 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-01-21 22:49:58 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-01-21 22:49:58 1224704 ----a-w- c:\windows\syswow64\urlmon.dll
2010-01-21 22:49:58 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-01-14 11:44:00 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-01-12 22:27:52 70656 ----a-w- c:\windows\syswow64\fontsub.dll
2010-01-12 22:27:52 148480 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 22:27:52 108544 ----a-w- c:\windows\syswow64\t2embed.dll
2010-01-12 22:27:52 100864 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 22:35:03 0 d-----w- c:\users\don\New folder
2010-01-08 01:57:28 0 d-----w- c:\users\don\appdata\roaming\Fujitsu
2010-01-08 01:50:12 0 d-----w- c:\users\don\appdata\roaming\PFU
2010-01-08 01:48:08 161 ----a-w- c:\windows\DISPARAM.INI
2010-01-08 01:48:07 695296 ----a-w- c:\windows\system32\ippi5s300-x64.dll
2010-01-08 01:48:07 351744 ----a-w- c:\windows\system32\s300u-x64.dll
2010-01-08 01:48:07 33280 ----a-w- c:\windows\system32\fjmcusb-x64.dll
2010-01-08 01:48:07 2873856 ----a-w- c:\windows\system32\ijl5s300-x64.dll
2010-01-08 01:47:59 0 d-----w- c:\windows\SSDriver
2010-01-08 01:47:23 0 d-----w- c:\program files (x86)\common files\PFU
2010-01-08 01:47:10 0 d-----w- c:\program files (x86)\PFU
2009-12-25 20:06:52 0 d-----w- c:\users\don\.acb
2009-12-25 20:06:43 0 d-----w- c:\programdata\OBV Residential Suite
2009-12-25 20:06:05 0 d-----w- c:\program files\OBV Residential Suite
2009-12-25 19:16:49 2134016 ----a-w- c:\windows\syswow64\cdintf251.dll
2009-12-24 17:16:20 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-12-24 17:16:09 0 d-----w- c:\program files\Apoint2K
2009-12-24 17:14:38 35008 ----a-w- c:\windows\system32\drivers\PGEffect.sys

==================== Find3M ====================

2010-01-22 21:45:20 48584 ----a-w- c:\windows\system32\drivers\gdwfpcd64.sys
2010-01-14 17:12:06 212352 ------w- c:\windows\system32\MpSigStub.exe
2009-12-20 12:35:35 74184 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2009-12-20 12:35:09 57288 ----a-w- c:\windows\system32\drivers\PktIcpt.sys
2009-12-20 12:32:28 34760 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2009-12-03 07:42:03 1477728 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2009-12-03 07:42:01 943712 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-11-26 04:46:32 106224 ----a-w- c:\windows\system32\drivers\GRD.sys
2009-10-29 07:48:16 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-29 07:22:37 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-03-19 21:50:26 97280 ----a-w- c:\program files (x86)\common files\pcsbClean.exe
2008-03-07 01:31:44 134656 ----a-w- c:\program files (x86)\common files\PCSBoff.exe
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 05:12:52 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 9:39:28.23 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 drgrass

drgrass
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 23 January 2010 - 08:57 PM

Closing this post as unresolved and trying Security Forums.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,110 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:11 PM

Posted 26 January 2010 - 06:40 AM

Topic closed upon users request.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users